“When you do not know where the data is, it is like playing cricket with your eyes closed”
In its fifth year of publication, the Data Breach Investigation Report (DBIR) by Verizon spans 855 data breaches across 174 million stolen records. Mark Goudie, Managing Principal, Asia-Pacific – Investigative Response, Verizon Business, talked to Jasmine Desai about the latest security threats and solutions for the same
Can you share highlights of the DBIR 2012?
In the past couple of years, we have seen more cases of breaches outside the US. There were two distinct trends when it came to data breaches. Firstly, there is a significant increase in small, highly damaging attacks. Organized crime is switching from attacking large data to small data targets, making them harder to detect. The use of hacking and malware increased in conjunction with the rise in external attacks during 2011. The types of data being stolen are changing significantly. A lot of crime is motivated by espionage. Earlier, it was mostly for financial gain but that is changing. The other major target is personally identifiable information. Criminals are focusing on creating different identities to create passports, bank accounts etc. Also, while compliance programs, such as the PCI-DSS provide sound steps to increasing security, being PCI-DSS compliant does not make an organization immune to attack.
Large organizations detected many of these breaches on their own. 92% of data breaches were detected by the affected party themselves; the information security personnel that are specifically tied to monitoring and looking after information security found 16% of the data breaches. 28% of data breaches were found by the general user population that are not in charge of looking after security. This is a good trend because, the faster that a data breach is discovered, the faster it can be prevented from spreading, reducing its impact.
Could you shed some light on data breaches in India?
There are common types of businesses that are attacked in India such as BPOs. We still see credentials being used by attackers. However, there is a slight difference in the way that these credentials are used as opposed to how they are used globally. Due to the existence of more sophisticated security policies, the attackers rely more on social engineering and steal credentials.
Which was the most common security weakness discovered at organizations where a data breach occurred?
In a typical data breach, an unsophisticated attack is utilized to steal some data in the first place in order to gain access to the organization. That is where keyloggers are used to break into an organization. A sophisticated attack would be when the attacker installs other malicious software to steal data. Therefore, when a data breach is discovered, the attacker is able to maintain access to the organization and can continue to steal data for an extended period of time using additional backdoors or other ways in which they can install software and maintain access to the organization. During one data breach, the attacker had been inside the organization for so long that it took us eight months to get rid of him.
Do you see security becoming multi-layered and responding in real-time to these attacks?
Multi-layered security is absolutely critical. Any organization that relies on one layer of security will face a data breach very soon. Reliance on anti-virus software is no longer sufficient to prevent breaches. 50% of malicious software cannot be stopped by any anti-virus. What most organizations need to do is to improve their security posture and know where the data resides. The more extensive the storage, the more the opportunities for an attacker to employ a backdoor to commit a data breach.
DLP is still not implemented in all Indian organizations. What would you suggest in this scenario?
To make DLP a success, it is vital to identify where the sensitive data is. So, if you want to protect it you really need to know where the data resides. It’s a bit like cricket, you have to watch where the ball is going to go. So when an organization does not know where the data is, it is very much like playing cricket with your eyes closed.
For 2012, what should be major components in security policies across organizations?
The main recommendations would be ways in which an organization can get the best information security value. The most important recommendation for organizations is to know where your data is. Secondly, look at ways in which you can prevent malicious software from entering the organization, particularly executable malicious software. Even a good anti-virus does not prevent malicious software from being installed on workstations. To prevent this, organizations can consider blocking certain regions from the Internet wherein parts of the business can function without it. Also, if you look at IP filtering, many organizations block particular types of traffic from coming into their organization. However, few block data that’s leaving the organization. The recommendation here is to filter data that’s leaving. Also, organizations can have multiple layers of anti-virus. So if there is an anti-virus solution for e-mail from a particular vendor, have an anti-virus solution from a different vendor on the desktop. This will decrease the chances of malicious software entering the organization.