Cyber crime takes a bite out of legitimate systems

And despite a pile-up of government regulations and billions of dollars in technology, the attacks often go undetected, leaving a wide-open back door through which data flows unimpeded for between six and eight months. Indications are that the unplugged hole may endure even longer for government than for private sector enterprises. “We don’t have enough data to say that’s a trend, but in the sample that we have, government agencies tend to be slightly slower than, say, a financial organization at detecting those kinds of incidents,” said Wade Baker, a principal of the Verizon Business RISK team. Called in after a breach, the Verizon team usually finds the forensic evidence on site, Baker said. “When we go and investigate those kinds of events, we use the logs and the victims’ very own systems to investigate the incident,” he said. “We find evidence of those attacks 75 percent of the time, but for whatever reason the organization didn’t see those until, usually, they were notified by [another company or data-trading partner] that something bad had already happened.” Enterprises collect and aggregate event data; they just don’t adequately analyze it, Baker said. “The technology seems to be there; I think it really boils down to the practice.” That correlates with earlier findings by Enterprise Management Associates' managing research director Scott Crawford. Human nature is very much a significant determinant of effective security management, Crawford said. “What we find is that where there are significant problems in this area there is not a culture of enforcement of policies.” Security information and event management tools can catch many compliance, access control and security problems as well as the anomalous behavior that can indicate potential breaches, “but they require follow-through and a climate, a culture of awareness and enforcement,” he said. “Software can’t do it,” agreed Alan Paller, director of research at the SANS Institute. Further, “the good SIEM tools are a reasonable way to start,” he said. “But they’re only going to catch the known attacks. Beyond that, tools take a back seat to a smart, well-educated team of people.” Verizon’s RISK team has been fielding increasing interest from government, said Susan Zeleniak, president of Verizon Federal Business. The company holds Universal and Enterprise contracts for the General Services Administration’s Networx telecommunications contract. Agencies have “become very interested in what we can do in forensic investigation,” she said. “It’s something they didn’t know we knew how to do, but since they started finding out, we’ve been called on quite a lot.” The federal government may have little financial data to offer but it nevertheless comes in for its share of attacks. In a study sponsored by CA, Ponemon Institute LLC surveyed 217 top IT executives in the Defense Department, Homeland Security Department and other civilian agencies. Ponemon’s report, published in November, said that 35 percent of those federal IT execs acknowledged that their systems had been infiltrated in the previous year. And “more than 75 percent of respondents experienced one or more data breach incidents sometime over the past year.” Attacks on private sector systems “may be at or approaching an epidemic level,” warned Melissa Hathaway, former National Security Council acting director for cyberspace. Currently Harvard Kennedy School senior adviser on cybersecurity research, Hathaway last month wrote “Five Myths about Cyber Security,” an op ed piece for ExecutiveBiz. After all, she wrote, “there is a disincentive for reporting because by the very fact of reporting the breach, it can undermine customer confidence, brand reputation, price point – all of which can lead to cancelled contracts, fines, and lawsuits, not to mention downward pressure on stock prices.” Getting the hard threat data on which to base new policies has been difficult, Baker said. “There seems to be a hunger [among IT decision-makers] for more data,” he said. Baker and other members of the RISK team in December followed up its 2009 Data Breach Investigation Report (DBIR) with a supplemental report providing a statistical representation of attacks as well as case studies and “war stories,” and cybercrime trends. One of the top findings in the supplemental report: Malicious hacking remains the largest source of data breaches, accounting for 64 percent of the 592 incidents that the Verizon team has investigated over five years. Those hacks also affected the greatest number of records: 94 percent or 516,108,232 lost or compromised records (285 million in 2008 alone). In fact, cybercrime numbers of all kinds are soaring. In 2009 alone, PandaLabs, the malware analysis arm of antivirus maker Panda Security Inc., received 25 million new strains of malware, in contrast to the 15 million total for the rest of the company’s 20-year history. Last year, the lab’s daily intake of samples hit 55,000, a figure that “has been increasing in the last few months,” said the company’s 2009 Annual Malware Report, issued Jan. 5. Costs are also increasing, and not only from financial crime such as stealing credit card information. “Cyberthieves have moved beyond basic hacking and stealing of credit card data and personal credentials,” antivirus maker McAfee Inc. said in its 2009 cybercrime report. “An emerging target is intellectual property. Why sink all that time and money into research and development when you can just steal it?” The company interviewed executives from 1,000 large enterprises; their average loss from theft of intellectual property: $4.6 million in 2008. “The way that attackers are getting in really hasn’t changed that much,” Baker said. In both public and private sectors, he said, “we’ve seen that they’re still taking advantage of our mistakes.” Attackers often gain entry through systems that have been forgotten or simply aren’t on an organization’s systems inventory, he added. For example, a process that, under GSA’s soon-to-expire FTS2001 telecommunications contract, allowed designated agency representatives to order new systems segments and connections, which speeded and simplified ordering but created a systems inventory nightmare for the Defense Information Systems Agency. DARs are not allowed on Networx, and GSA will be working with DISA to inventory its systems. About a third of the time, attacks on private sector systems derive from a business partnership, Baker said. For government, the attacker is more likely already inside. Use of e-mail spam, including to send malware, is generally on the wane in private-sector enterprises, Baker added. But not so for government, a prime spam target. “In 2009, 92 percent of all e-mail worldwide was spam,” Panda said. The company’s lab analyzed more than 2 billion messages from 867 companies’ e-mail traffic to determine the impact of spam and malware on companies, according to business sector. The conclusion: Automobile and electrical sectors, followed by government institutions, comprise the top three recipients of spam and e-mail-borne malware, with ratios of 99.89 percent, 99.78 percent and 99.60 percent, respectively, Panda said. For government, just 0.4 percent of e-mail received is legitimate. “The uncontested technique of choice” to hack into a system is SQL injection, Verizon’s Data Breach report said. The attacker uses input fields on the target’s Web site to issue commands (as SQL statements) to a database. Of 69 hacking breaches in the Verizon report, only 16 derived from SQL injection, but they accounted for 79 percent of stolen records. SQL injection is just the crowbar that pries open a system, however. Once inside, attackers will use other tools to exploit that access and install a back door to allow repeated and continuous access. Malware such as keyboard loggers or spyware capture authentication credentials and send them to the attacker, who may download millions of records of payment card data and personally identifiable information. The “change in the malware dynamic stems from a change in the motivation of malware authors,” Panda said in its annual report 2009. “Previously, they sought fame; now, their motivation is purely financial: hackers are becoming more professional.” The new malware is “designed specifically to go undetected [and] is far more difficult to combat,” the Panda report said. Such an attack methodology makes detection more difficult, Baker said. One organization’s “internal IT personnel found evidence of SQL injection residing in the Web server logs,” the Verizon team reported. But, “because these entries were months old and low in number, staff concluded that the attacks had subsided.” A forensic investigation revealed that the SQL injection had been used to pull customer records, the report said, but “also pulled an extensive array of packet sniffers into the environment. The queries discovered by IT personnel disappeared from Web server logs simply because the attacker had no further need of SQL injection.” Sniffers mapped out the network and located target systems that processed payment data. Keyloggers installed onto internal systems captured and sent back administrative credentials. Attackers used the credentials to install a packet sniffer on the core payment switch. “This strategically placed sniffer captured millions of transactions and stored this data locally on the system,” the Verizon team said. “The attacker used the stolen domain credentials to reenter periodically and FTP data out of the environment.” So what does work? No single answer will answer that question, experts say. One good place to start is with SIEM software. In recent months, DISA has put on a push to install the updated version of ArcSight Inc.’s SIEM suite. Training also is crucial. But tossing outdated “milestone” philosophy may be the most significant step that IT security managers can take.