Breaches: Small Incidents Add Up to Greatest Losses'Death by 1,000 Cuts,' Says Verizon's Wade Baker
Fraudsters are reaping more financial rewards for smaller attacks targeted at merchants. According to industry breach analysis conducted by Verizon, it seems point-of-sale attacks have become criminals' most desired fraud vector.
But breaches are impacting all industry verticals, says Wade Baker, director of risk intelligence at Verizon, during an interview with BankInfoSecurity's Tracy Kitten [transcript below]. Hackers are going after the money, which means financial services and entities connected to payments remain at the greatest risk, he says.
Verizon's industry analysis reveals most breaches have monetary implications.But Baker does have advice. To mitigate risks, he recommends institutions, businesses and organizations:
- Utilize Data Analysis: "I'm a big fan of using data to combat data thieves," Baker says. "We'll always be somewhat reactionary. At least we can react as quickly as possible, and having more data and doing thorough data analysis ... help us respond more effectively."
- Prioritize Controls: Baker says a threat-based model works best, as opposed to trying to plug all the vulnerabilities that exist within the infrastructure.
- Ensure Secure Application Development and Coding Practices: Approach them in a secure manner. "We see a lot of SQL injections with financial institutions," Baker says. "Secure web applications, secure development and good coding practices are very important."
The analysis includes industry snapshots compiled with data collected for the Verizon 2012 Data Breach Investigations Report. The analysis reviews approximately 1,600 international breach incidents from 2010 and 2011. "In the snapshots, we are trying to give more specific information," Baker says.
During this interview, Baker discusses:
- Why smaller breaches, especially at the merchant level, are often the most harmful;
- How hacktivist attacks affected breach tallies for 2011;
- Steps organizations can take to mitigate their risk of financial exposure.
Baker is the director of risk intelligence for Verizon. In this role, he oversees the collection and analysis of data relevant to understanding and managing information risk. Intelligence from these activities is used to create and improve products, inform personnel and clients, and publish credible research to the security community.
Baker is the creator, author and primary analyst for the Verizon Data Breach Investigations Report series, and his work on various topics has been published in a number of highly rated academic journals, professional magazines and books. His research for the President's Information Technology Advisory Council was featured in the 2005 Report, "Cyber Security: A Crisis of Prioritization."
TRACY KITTEN: What can you tell us about the breach-trend analysis?
WADE BAKER: In 2012, there were 855 breaches; in 2011, there were 761 breaches. We're talking 1,600 incidents that we've investigated over the last couple of years. When you look at the statistics across that many breaches, the findings don't speak well to any specific segment or particular group. It's just what we see across everything. That's large businesses and small businesses all over the world and different types of industry.
In these snapshots, we're trying to give much more specific glimpses into the problems and challenges within financial services, for instance, or related to intellectual property theft. I think that's the real value here. It's not new data, necessarily, but it's a new perspective, or at least a more clear view, into the data set that we published over the last couple of years.
Data Protection Challenges
KITTEN: Explain why financial services has such difficulty when it comes to information protection?
BAKER: I've enjoyed doing these snapshots because I've kind of visualized attacks on a continuum, from the highly opportunistic, purely financially motivated, mainline criminal activity to the other end of the spectrum, where you have your more targeted attacks. The financial services sector is interesting because it represents the turning point. It represents both of those areas on the spectrum. We do see highly opportunistic attacks and things that are relatively easy, but we also see more targeted things.
When you look at the results in this snapshot, you're going to see, for instance, a balanced threat profile. If you look back at the 2012 DBIR and you look at the figure that lists our seven main threat actions, you're going to see it heavily weighted toward malware and hacking, and that's a lot of those automated, industrialized and opportunistic attacks. But you look at this financial services snapshot and it's much more balanced; there's diverse tactics. Physical is the most frequent threat category, and that has a lot to do with ATM tampering and things like that. It's an interesting mix, where you really start to see that all of these activities are not just one-dimensional, in terms of network intrusions; there are a lot of different ways organizations or criminals are stealing financial data, especially from financial organizations.
Retail and Healthcare Challenges
KITTEN: What about some of these other industries or sectors?
BAKER: The one that's going to look very similar to the results in the overall data breach report is the one for accommodation and food services, which is a sector for the quintessential opportunistic attack. All those criminals care about is stealing payment-card data, and they want to do that as easily as possible. Retail is similar, as you might imagine. But in the retail snapshot, there's a much larger proportion of the skimming activity, where there is gas-pump skimming or devices installed on point-of-sale systems. You start to see that in there. We also start to see more application-oriented attacks on more of your larger online retailers.
Healthcare is an interesting study in our data set, which again is not just Verizon data. In healthcare breaches, it is still about stealing payment cards and personal information, mainly for the purposes of fraud. When you look at this healthcare snapshot, you're going to see something that looks rather a lot like accommodation, food-services and retail. It's the same kind of threat space, because you have the same criminal element that's trying to steal data to commit fraud. A lot of those will be mixed in with healthcare: a lot of clinics, doctor's and dentist's offices, where they still have to process transactions and take people's data.
Top Security Concerns
KITTEN: How do security issues in retail and healthcare impact the financial-services sector?
BAKER: I was talking to a financial services organization last week and they were saying that there's a perception out there that most of their losses come from very large breaches, either to themselves or other large financial institutions. But it's really more like death by a thousand cuts, and it's the smaller merchants that we deal with. When those merchants are compromised, a lot of times financial services ends up paying the bill. I think that's how the impact finds its way back to the financial institutions.
You mentioned the point-of-sale vulnerabilities. So many of those small merchant compromises are due to poorly maintained or poorly implemented point-of-sale devices, and the criminals all around the world know exactly how to exploit those things. I could do a scan across just the large IT space and find a point-of-sale server that's communicating on a remote-access port and then, if it's got an easy password there, I'm in and I can install malware and steal all the card data I want. That, unfortunately, happens around the clock all too easy.
KITTEN: Why is intellectual property, at least the theft of it, so difficult to find and identify?
BAKER: We did five snapshots. Four of them are industry-based and then we have this one snapshot on intellectual property that we threw in. It might seem out of sorts, but the reason we did it was just to draw the focus that intellectual property theft is a different kind of beast. It really takes place using different methods. A lot of times it's different groups that are doing it and it requires different fixes. It kind of deserved its own category.
When you look at this intellectual property snapshot, we do an analysis of the types of industries affected, and financial services is right up there, along with government, technology companies and media companies. It's certainly true that intellectual property is being stolen from financial services organizations. They're harder to deal with, because a lot of them take place by insiders, for instance. The rate of these incidents that are attributed to a malicious insider is 10 times the rate for across the entire data breach report. With the 2012 DBIR, 4 percent of incidents were attributed to insiders. For intellectual property theft, 41 percent involved insiders.
Furthermore, the attacks often trick, bribe, deceive or somehow use an insider in order to be successful. The overall point there is when you start involving that human element, it requires a different approach to solving the problem, and it's also much harder to detect.
Almost a third of all of those incidents take years for the victim to discover that intellectual property has been stolen. They're just hard to detect for many reasons.
Increase in Breach Incidents
KITTEN: Can you account for why 2011 saw such a significant increase in breach incidents as well as compromised data totals?
BAKER: If you look at our curve of the tally of total records stolen over each year, it's a very similar trend. You hit a height in 2008 and 2009, where you had very large breaches in the financial sector. They were very public, so they drove those totals up. A lot of those people were arrested. There was a law enforcement backlash against that, and I think the criminals changed their tactics. They realized, "I can make my money stealing a smaller amount of data from a much larger set of victims and I can use more of that for fraudulent purposes than if I steal 100 million records from one institution." In big breaches, they don't get a chance to use a fraction of 100 million records for fraud before the incident is discovered. But if you steal a thousand records from a thousand different smaller merchants, you could probably use a much larger share.
The criminal motive and ways that they operate drove the total number of records stolen down; then we had an upswing in the last year, but the upswing was not necessarily due to those organized criminal groups. They steal 100,000 records, a million, 10 million in some cases, and just release them on the Internet to embarrass somebody. If your goal is not to quietly commit as much fraud as you can, but to make noise and public embarrassment, then it helps to steal a lot of data. Stealing 10 records from somebody you want to embarrass is not nearly as effective as stealing a million or 2 million. In 2011, most of that upswing was attributed to the hacktivist-type group.
Attacks, Malware Schemes
KITTEN: What nuances did Verizon identify in the those types of attacks?
BAKER: Denial-of-service attacks are certainly big news. These groups are trying to make a point, and they're incredibly efficient at it. They've announced, "We will attack financial institution X from 10 a.m. to 5 p.m., and then tomorrow we're going to attack somebody else," and they have made good on their word. The tactics that we've seen are changing in some cases from institution to institution. They're using different methods. They seem to be adapting to the response set up by the target entity. It's been an interesting study, in that regard.
On the malware side, it's increasingly fascinating to me. Several years ago, we recorded this trend line of the percentage of incidents that we investigated that involved customize malware, and for several years that line was really going up at a quick pace. But over the last couple of years, that has slowed down and even reversed direction, so that we see less customized malware involved.
Instead of customized, it's really about commoditized. You see websites that offer up malware for use in criminal activity and it's very user friendly. It has a pretty user interface. The malware comes guaranteed to work with an SLA [service level agreement]. If you have problems, you can call a toll-free help desk. This was a fascinating study on the commoditizing of criminal weapons, if you will. It has really served to lower the bar of entry for a large segment of the criminal population, where your script kiddies and your skilled attackers are now using pretty sophisticated malware in everyday attacks; that really makes it difficult to deal with from a defender's perspective.
Tips for Organizations
KITTEN: What would be some of Verizon's tips, based on some of the mid-year or mid-release analysis you've put out?
BAKER: I'm a big fan of using data to combat data thieves because they have the advantage; they have the first-mover advantage. They have the general advantage that all attackers have over defenders, and we will always be somewhat reactionary. At least we can react as quickly as possible, and having more data and going thorough data analysis, really understanding our adversaries and the techniques they're using can help us respond more quickly and more effectively.
In terms of prioritizing controls, I'm a big fan of prioritizing controls in a threat-based way, as opposed to trying to plug all the vulnerabilities that exist across their infrastructure. In that vein, what we've done in these snapshots, even in the main DBIR, is take the most common threat. There are certain things that are relevant to everyone. We always find, most likely, that for any kind of organization, the next breach is going to be because of something you thought you were doing but weren't - at least not comprehensively or consistently. Really check things and make sure those practices are implemented and validated.
Beyond that, for financial services, we do recommend some things around ATMs, because there are a lot of people targeting those machines. We make some recommendations around authentication. That's a huge problem for financial services, the stolen credentials and things like that. [Have] two-factor authentication and other ways to make sure that whoever is logging in to your system is who they say they are. It's a big deal.
We see a lot of SQL injections with financial institutions. Secure Web applications, secure development and good coding practices are very important, and there are several other things along those organizations should implement, such a threat-based prioritized list to practice.