Sunday, March 25, 2012

Highlights from 2011 Verizon Data Breach Investigations Report


I have some of the key findings posted below from Verizons 2011 Data Breach Report. Nothing to surprising in the report; data breaches are occurring for two major reasons,  hacktivism and criminal intent. 

In 2010, the Secret Service arrested more than 1,200 suspects for cybercrime violations. These investigations involved over $500 million in actual fraud loss.

Because the increase in arrests criminals are opting to “play it safe” and are moving away from large-scale Financial Services firms and moving to hotels, restaurants, and retailers.

Verizon did write the story on data breaches is not changing every year. The story is the same each year. Some unstoppable attacker or some previous unknown method did not overpower the victims instead the victims knew how to stop the attacker with good proven best practices in infrastructure and software development.

Who were behind data breaches in 2011?
  • 92% stemmed from external agents (hackers).
  • 17% implicated insiders.


What commonalities exist in report data breaches?
  • 96% of breaches were avoidable through simple or intermediate controls.
  • 92% of attacks were not highly difficult.
  • 86% where discovered by a third party.
  • 83% of victims were targets of opportunity.


How did the breaches occur?
  • 50% utilized some for of hacking.
  • 49% incorporated malware 


Conclusions and Recommendations
  • Access Control
    • Change default credentials
    • User account review.
    • Restrict and monitor privileged users.          
  • Network Management
    • Secure remote access services
    • Monitor and filter egress network traffic
  • Secure Development
    • Application testing and code review
    • SQL injection
    • Cross-site scripting
    • Authentication bypass
    • Exploitation of session variables

  • Log Management and Analysis
    • Enable application and network witness logs and monitor them.
    • Define “suspicious” and “anomalous” (then look for whatever “it” is)

                                               





Saturday, March 24, 2012

Legislation in Congress Pursuing Data Breach Disclosure Measures


Last couple of posts I talked about current laws and how they relate to the fourth amendment.  In this post I will talk about three bills that are working it’s way though congress. These bills are in response to the Sony/Citigroup massive data breach.  As with any legislation it is unclear if these bills will make it to the floor to be voted on and if so what their final content will be. According to govtrack.us all three bills has an 8% chance of passing.

The first bill is S. 1408: Data Breach Notification Act of 2011. (http://www.govtrack.us/congress/bills/112/s1408) This bill will require federal agencies and business that “engage in interstate commerce “ and process data containing PII to disclose any breaches. Key point of this bill is…
  • A written notice of a security breach to individuals by mail, telephone, and e-mail.
  • Notice to major media outlets if a security breach involves more than 5,000 individuals.
  • A description of the categories of sensitive personally identifiable information acquired by an unauthorized person.
  • A toll-free telephone number for contacting an agency or business entity to ascertain the types of personal information maintained by such agency or entity.
  • The toll-free telephone numbers and addresses for the major credit reporting agencies. Authorizes a state to require that a notification also include information about victim protection assistance provided by that state.


The next bill is S. 1535: Personal Data Protection and Breach Accountability Act of 2011 (http://www.govtrack.us/congress/bills/112/s1535). A bill to protect consumers by mitigating the vulnerability of personally identifiable information (PII) to theft through a security breach, providing notice and remedies to consumers in the wake of such a breach, holding companies accountable for preventable breaches, facilitating the sharing of post-breach technical information between companies, and enhancing criminal and civil penalties and other protections against the unauthorized collection or use of PII.
Key points of this bill are…
  • Fine businesses that willfully concealing a security breach involving sensitive personally identifiable information.
  • Business must be interstate business that collects, accesses, transmits, uses, stores, or disposes of sensitive PII on 10,000 or more U.S.


The last bill is The Personal Data Privacy and Security Act of 2011 (http://www.govtrack.us/congress/bills/112/s1151). This bill tries preventing and mitigating identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information. This bill defines PII as…
  • Specified combinations of data elements in electronic or digital form, such as an individual's first and last name or first initial and last name in combination with home address or telephone number, mother's maiden name, and date of birth.
  • A non-truncated social security number, driver's license number, passport number, or government-issued unique identification number.
  • Unique biometric data, such as a fingerprint, voice print, retina or iris image, or other unique physical representation.
  • A unique account identifier.
  • Any security code, access code, password, or secure code that could be used to generate such codes or passwords.





Monday, March 12, 2012

Currently reading


I am currently reading “Ghost in the Wires: My Adventures as the World's Most Wanted Hacker”. I am enjoying reading the book. It’s a little early for me to recommend the book but it is better then the previous book I read about Kenvin Mitnick.

I picked up a copy of “Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It” at a used bookstore and it was a total waste of time to read. Besides not covering the technical details well Shimomura comes off as a egomaniac. One good thing is Shimomura did was to step up and help end Kevin Mitnick’s rampage. Well not so good if you were Kevin Mitnick. If you are reading this to better under stand hackers like Kevin or technical details in how to prevent their intrusions into your systems then read something else.

I have read other accounts about the personalities involved in bring Kevin down including Kevin’s own accounts in interviews. The one thing I can say for sure is everyone seems to have his or her own perspectives of whom and what Kevin did and the amount of damage he is responsible for.

Another drawback to this story is Shimomura insistences in his bringing too much of his personal life into the story. His relationship with his girlfriend was a complete mystery to me why this filler was included in the story.

When I read these types of books I am looking for three things. One is an understanding of the events and a timeline so I can out things into perspective, Second is an understanding of the individuals involved and their motives and lastly is an understanding of the tools, how the hacks worked, and other technical details. I am not looking for a how to hack book but I do expect a good technical discussion. This book did not meet any of those objectives for me.

The police work and forensic data where not discussed in detail at all. To make matters worse the FBI and other law enforcement individuals do not come off in a good light when compared to Shimomura’s ego. The book would have benefited from a more team approach in using individuals along with law enforcement. I am at the opinion that everyone from Kevin, Shimomura to John Markoff  all saw dollar signs in stopping Kevin. A book written in a more honest approach about dealing with law enforcement individuals would have gone further in educating everyone into the dangers that Kevin and other hacker’s pose. I would not recommend this book to anyone.

I did read “Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet” and found that many of the complaints I listed in Takedown above were overcome. I was able to take away knowledge that was useful and the book was very entertaining story without being dishonest. The relationship with the main character and law enforcement was not without issues but it gave an honest account on getting law enforcement involved. I would recommend this book to anyone.




Tsutomu with John Markoff Shimomura.Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It Tsutomu Shimomura” Hyperion Books 1996.

Joseph Menn. Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the InternetPublicAffairs 2010

Kevin Mitnick. “Ghost in the Wires: My Adventures as the World's Most Wanted Hacker” Little, Brown and Company 2011