Web application attacks increased more than malware-fueled point-of-sale intrusions last year, Verizon's latest breach report shows. Analyst Dave Ostertag reviews the complete results and offers breach prevention insights.
The 2014 Data Breach Investigations Report, which analyzes more than 1,300 data breaches investigated by Verizon and its partners in 2013, shows that Web app attacks were to blame for 35 percent of those breaches, while only 14 percent were related to POS intrusions. In 2011 and 2012, approximately 10 percent of breach incidents were linked to Web app attacks, while POS intrusions were to blame for 60 percent of incidents in 2011, an all-time high, and approximately 10 percent in 2012.
But several huge POS breaches at major retailers, including Target Corp., have been in the spotlight in recent months. And Verizon determined that many POS breaches could have been prevented if organizations had taken basic steps to enhance security, says Ostertag, global investigation manager and senior analyst for the investigative response unit at Verizon, in an interview with Information Security Media Group (transcript below).
"Some of the common things we are seeing are pretty consistent across the different merchants," Ostertag says. That includes a lack of two-factor authentication on the perimeter of networks and a failure to keep anti-virus software up to date, he says.
"Some of these are pretty basic security practices," Osterag adds. "It's a wake up for the retail industry, for those merchants to take a look at their networks ... to make sure all of their systems are configured properly."
Web application attacks, whether waged via SQL injection or cross-scripting, allow for easy access to a company's intellectual property, Ostertag says. And unless businesses are regularly testing their network security and patching and updating their software and systems, network compromises from Web app attacks will increase, he says.
"What we see, overall, is that when we look at the 10 years' worth of data from 95 countries and a variety of industries, what stands out is that if you have a presence on the Internet, you are a target," Ostertag says. "Intrusion and data breaches cross all industries and all international boundaries."
During this interview, Ostertag discusses:
- Why vulnerability scanning and penetration testing are so critical;
- Why network intrusions often take months to detect; and
- Security steps all organizations should be taking to ensure they are protected.
Ostertag has more than 30 years of investigative experience in the government and security arenas. He coordinates the forensic investigations conducted by the Verizon investigative response unit worldwide. He is a certified expert witness and is a frequent instructor and speaker on the topics of data compromise investigation and international criminal organizations. Previously, Ostertag worked as a retail regional investigator and served 14 years as a police detective sergeant and four years as a state's attorney investigator. He also was the global manager of field investigations at Discover Financial Services for more than 10 years.
Security Steps to Avoid Breaches
TRACY KITTEN: How does this year's report compare with information that's been gathered for reports published in previous years?
DAVE OSTERTAG: If we look at the 2013 Data Breach Report, which included 1,300 breaches, this year doubled what we had in last year's report. Ninety-five countries reported breaches, while the 2013 report had 27 countries included that had reported breaches. If we look at the contributors, there's 50 globally this year, including Verizon; last year's report had 18 contributors; the year before had five. A dramatic increase in the contributors and number of incidents around the world [make] this year's a truly global report.
KITTEN: How many years of comparative data does Verizon have to work with in its annual report?
OSTERTAG: This is the seventh report. This year's report contains 10 years-worth of data. We've collected data back to 2004.
KITTEN: Why is the difference between a breach versus an incident important to point out?
OSTERTAG: Verizon feels that making sure we have a distinction between a security incident and a breach is important. Information security requirements should use a risk-based approach to managing security, and we feel that risk should be the risk of the likelihood of data being compromised. An example: In this year's report, there's 63,000 security incidents; there are 1,300 actual data breaches involved in this year's report. So if we were trying to manage how we use our tools, I think a more focused approach is on those incidents that are likely going to result in data being compromised. That's the reason we draw the distinction, so that you can more narrowly focus your efforts and security tools on those events and patterns that result in data being compromised, as opposed to just a security incident.
Top Data Disclosure Concerns
KITTEN: POS attacks, Web-app attacks, espionage and card skimming were among the top concerns that related to data disclosure in this year's report. Is this different from previous years?
OSTERTAG: We see patterns. If we look in this year's report at the area that goes back over the past 10 years, we see POS attacks. In 2009 and 2010, we saw a drop in POS attacks; and in 2013, we see an increase in those attacks. Web-application attacks are one constant; we continue to see those. SQL injection is 15 years old, and it's still strong; even though we can prevent it and detect it, we still see it. Espionage has been there for several years now, and we continue to see a lot of [it]. I think if you look at some of the statistics on the number of espionage cases, it appears they're increasing. But I think there's some level of better reporting on those, rather than a dramatic increase in the number of those incidents. Card skimmers have been around for a long time, and they continue to be a problem. If people can get access to payment cards in certain situations, they're going to use skimmers.
KITTEN: The number of POS incidents in 2013 were actually lower than two years earlier, but have the losses linked to these breaches increased. Why?
OSTERTAG: When we look at POS intrusions ... we see an increase in the number of breaches. The reason for that is the use of RAM-scraper malware. While we saw RAM scrapers several years ago, those took a dip, too, around this same period of time. Now there's a resurgence. We see the use of RAM scrapers in most of these large retail breaches that came back in 2013. But when we look at the losses, we're pretty lucky. The payment card industry and consumers are lucky in that several of these breaches were found quickly and action was taken to identify the accounts involved. The issuing banks were able to shut those accounts down, reissue, monitor transactions, [and] do those things that really reduce the fraud losses in comparison to the number of accounts that were compromised. While there is a resurgence in cards, or in breaches involving cards, we don't necessarily see a like increase in the fraud related to those breaches.
Uptick in Breaches
KITTEN: Do you think that we'll see a significant uptick in the number of POS intrusion incidents and/or breaches at the end of 2014?
OSTERTAG: Looking at the number of cases we get and that our competitors are getting in the area of POS intrusions, I think we're going to continue to see, for a while, an uptick in the number of these breaches. We're continuously seeing new merchants that are being compromised and identified. I think in the short-term, anyway ... we won't see a reduction in the number of POS cases that are involved. Typically in these cases, too, as we work with law enforcement and other forensics firms investigating these cases, we find indicators of compromise and other pieces of intelligence. [That] allows us to identify other victims earlier. You may see an increase in the number of these cases being reported, because we're better at identifying [and] notifying the victims, and we're beginning the investigations sooner.
Detection of Breaches
KITTEN: Which challenges would you say the industry still faces, where detection of breaches and card compromises are concerned?
OSTERTAG: When we look at detecting POS breaches, card compromises, there are a few issues that affect our ability to detect these breaches. No. 1 is just the nature of the malware itself. In most of these cases, or almost all of them, the malware is customized to the particular merchant. A lot of times, it's simple changes involved in modifying the malware; but whenever we make any change, the signature of that malware changes. The traditional tools that we've used to identify this malware, the signature-based antivirus and detection systems, simply won't work when the malware is changed from merchant to merchant. So a hash value on a piece of malware from the last merchant won't necessarily work on a new merchant. We've got to use other detection tools.
KITTEN: How long does it typically take to detect an intrusion?
OSTERTAG: On average, it takes months typically to detect a POS intrusion, particularly in some of the larger cases. They're found through fraud analysis done by issuing banks and the card brands. Monthly statements go out for the consumer to look at to identify fraudulent transactions, to report them, and then the issuing banks do an analysis to identify the common points of purchase. In POS intrusions, that's typically the most prevalent method of detection. Simply by the nature of the difference pieces involved in doing those fraud analysis detections, it takes months to identify these.
KITTEN: What is the vulnerability or lack of security practices that are most concerning when it comes to POS intrusions?
OSTERTAG: Some of the common things that we're seeing in the large payment card data breaches are pretty consistent across the different merchants we're investigating. One commonality is a lack of two-factor authentication at the perimeter of some of these merchants' networks - a simple username and password to gain access to the network; not keeping antivirus software up to date is another problem; a lack of consistent white-listing on point-of-sale systems and servers, as well as file integrity monitoring for any changes or additions to those systems is another problem. Some of these are pretty basic security practices, but we're seeing weaknesses and vulnerabilities there. It's a wake-up for the retail industry, for merchants to take a look at their networks and make sure that all of the systems they rely on for detection and prevention are configured properly and working at maximum efficiency.
Financial Sector Incidents
KITTEN: Web-app attacks, card scheming, and DDoS attacks were the most frequent incidents targeting the financial sector, and that was not that surprising. What incident patterns stood out to you relative to industry or sector?
OSTERTAG: I think if we look at the manufacturing industry, with espionage being involved in manufacturing, one thing I think that has not been identified as clearly as it should be is what constitutes espionage. What type of data is involved? Traditionally, we think of intellectual property or processes or design, research and development, when we think of espionage. But in fact, when we look at almost half of those cases, they involve a business deal as opposed to intellectual property; a merger or acquisition, a real estate deal, opening an office in a new area or country, or requesting bids for purchases or for services. All of those things are often the target of these espionage-type of attacks. We look at manufacturing, and a lot of businesses in general, and think about these espionage attacks.
Another area that we see an increase in is the theft of personal-identifying information and customer information. If we look at the reasoning behind that, some of the issuing European organized crime groups have access to high-value bank accounts, home equities-based accounts, securities-based accounts. They couldn't get access to the funds because of second-level authentication questions about your lifestyle, as opposed to more traditional [questions like] mother's maiden name and Social Security number. What they found is if they went after business customer records, such as car dealers and healthcare providers, they were able to match that information up to these high-value accounts and access the funds in them. There's some changes because of the fraud use of the data has changed some of the patterns.
Wed App Attacks
KITTEN: Are we not giving Web-app attacks enough attention?
OSTERTAG: When we look at Web app attacks and see they're increasing at a greater rate, the reason for that goes back to interviews I've done with some of the organized crime groups [about] why [they] do. Why do you use a certain methodology [rather] than another? The answer consistently is, because it works. Their answer is, we're businessmen; I want to use the least amount of resources to get the greatest amount of benefit. What attacks lead? If we have a SQL injection vulnerability and some cross-site scripting vulnerabilities on Web-facing applications, that's easy pickings to go in and gain admin level access to those systems. I think the simple answer of why we're seeing a greater rate of Web-app attacks is because it's an easy way to get access to a company.
Now, on the other hand, when we look at information security professionals and the increased rate of Web app attacks, SQL injection and cross-site scripting are vulnerabilities that are fairly easy to prevent. Our hope is that people use the data breach report, and look at that statistic, to wake up and pay attention to your development code-writing security practices. Start using penetration testing on a regular basis on your Web applications to make sure that you're not vulnerable and, if you are, you find it as early as possible and correct them.
Verizon's Recommended Controls
KITTEN: When it comes to some of these Web-application security measures, what are some of Verizon's recommended controls?
OSTERTAG: The recommended controls are, practice good security at a code level, practice training your developers in OWASP techniques so they build security into the application as they write it. Make sure your change program includes security, and the same level of review and security when you change those Web applications as you do when you first develop them. Make sure that you practice penetration testing and don't just rely on vulnerability scanning. The bad guys have vendors, too; as they develop their exploits, they go to those outside vendors. One of the last vendors they use is the particular application that you've developed an exploit for. Practicing your exploit against that application with commercially-available vulnerability scanners [and making sure] your exploit is successful. That if the company only uses commercially available application vulnerability scanners, you're going to successfully infiltrate that application. So that's where penetration testing comes in. Go beyond just simple commercial scanning products and practice penetration testing also.
KITTEN: What final thoughts about the report generally would you like to share with our audience?
OSTERTAG: I think that in closing what we see overall when we look at the 10 years' worth of data, and variety of different industries [in] 95 different countries involved, the one thing that stands out is that it doesn't matter what industry you're in, it doesn't matter what region of the world you're in; if you have a presence on the internet, you are a target and people in your industry are a victim. Intrusions and data breaches are no longer just something involved [with] merchants that accept payment cards. It crosses all industries, all international boundaries. If you have an Internet presence, you really need to focus on your information security.