The New Face of Cybercrime Revealed2009 Data Breach Investigations Report it is that cyber crime has taken on a frightening level of maturity. This is the second year that Verizon has published data from the breach investigation work they perform for their clients. Because they only report on the specific customers they work for, comparing year-over-year results may not be statistically relevant. But the report is the most comprehensive analysis of trends in methods of attacks; and for that reason is worth delving in to.
Most data breach reports include what is, frankly, spurious data. A lost or stolen laptop or even a dossier of top secret information left on a commuter train seat has less to do with an increase in threats than it does with reporting requirements derived from various legislative actions. While these reports do drive home the expense, loss of reputation, and compliance requirements associated with good data protection they do not shed the same light on methodologies that Verizon does.
The most dramatic revelation is that the market value of stolen credit card data has plunged. The market is saturated with credit card data stolen from large payment processors and retailers. From prices in the $10-$12 per record range values have dropped to $.50. To understand how credit card data is used by criminal organizations look at how stolen credit card information from the infamous TJX data breach was monetized. Criminals in Florida used magnetic strip encoding machines to put the info on fake credit cards they manufactured. The account information would not even match the names embossed on the cards. They would then go to local Wal-Mart stores and purchase $400 in gift cards. One zealous carder bought $18,000 of gift cards from several Wal-Mart stores in one day. They would then exchange the gift cards for jewelry and electronics at other stores. Police estimate they stole $8 million in this manner.
Carding operations rely on a steady supply of stolen data and Verizons report indicates there is no shortage of stolen credit card records. But if cyber thieves can no longer get a good price for their goods what will they turn to next? Verizons report says the present target is PINs. In other words, thieves are stealing the data that allows criminals to create ATM cards and thus drain money directly from accounts. While Verizon cannot reveal the names of their customers the most dramatic use of stolen PINs ever was when data stolen from RBS WorldPay, an Atlanta based payment processor and card issuer. These PINs were used to forge ATM cards that were then used to withdraw $9 million from 130 ATMs in 49 cities around the world in a single day in November of 2008.
Insiders vs. Outsiders
One surprising result from Verizons research was that the majority of data thefts were perpetrated by outside attackers: 74%. This is counter to the oft quoted statements of security pundits. It may have been true, before the rise of the cyber crime economy of today, that insiders were responsible for most breaches but thanks to the continuing success of data thieves, that is no longer the case. Or rather, while theft of identities are from the outside, the insider is still going to be the culprit in cases of stolen customer lists, processes, and designs. The vast majority (91%) of the stolen records in 2008 can be attributed to organized crime according to the report. So far arrests have been made in fifteen of the ninety cases that Verizon has been involved in.One of the most valuable aspects of the Verizon report is the helpful reminder they provide of security best practices:
With respect to breaches caused by recently terminated employees, the following two scenarios were observed:
- Employee was terminated and his/her account was not disabled in a timely manner.
- Employee was notified of termination but was allowed to finish the day unmonitored and with normal access/privileges."
Third Party Threats
The report also emphasizes the threat from third parties that may have administrative access to a victims IT assets. This could be a vendor that provides maintenance services or a third party with a data connection that was compromised. The Satyam World Bank fiasco revealed last year is not mentioned but it was easily one of the most egregious examples of a third party stealing data. The World Bank had outsourced most of its IT operations to the Indian outsourcer whose workers installed spy software on internal computers.
The predominant method of attack that the Verizon team observed used default passwords or shared credentials. This timely reminder that identity and access management are key to protecting the enterprise warrants an immediate review of access controls. Once the attacker gains access in most cases they installed malware that captured more credentials via key stroke logging and opened up a back door to allow the attacker to return to the compromised machine and transfer stolen information.
Verizons report on 2008 data breaches and their causes marks a turning point in the world threatscape. It effectively documents the predominance of targeted attacks against data stores that will lead to financial gain on the part of the attackers. The first hand knowledge gained by Verizon researchers now paints a picture of well funded, organized attempts to pick targets, usually financial services or retail operations, and execute attacks over a period of months that are ultimately successful.
Most security standards were designed specifically to counter targeted attacks yet organizations have invested the most in fighting worms, viruses, spyware, and spam. Last year it became evident there is a large community of attackers who will seek out and compromise the defenses of any organization that has not shifted gears to accommodate the besieged environment now evident.
Every IT security professional and every IT leader should read Verizons report and begin to re-think their defensive strategies. Failure to do so may mean becoming a victim of a targeted attack and thereby becoming a subject of next years report.
Richard Stiennon is a security industry analyst. He writes the security blog for ThreatChaos.com and has re-launched IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. Most recently Richard was chief marketing officer for Fortinet, the leading UTM vendor. Prior to Fortinet he was VP of Threat Research at Webroot Software.