Verizon Data Breach Investigation Report impressions

This is the first year I've read the full Verizon Data Breach Investigation Report. It was quite entertaining, but then again I'm into baseball and within baseball I'm into statistics. The report was easy to read, interesting, and informative and here are my impressions of the 70 page-ish report:

Threat Intelligence

Sharing threat intelligence is useful, but the strategy needs to be more, "going to the well" than "drinking from the hose." Think of the NSA's collection of information, which has been found to largely be ineffective at discovering attacks.

Phishing

Communications, legal, and customer service departments were all more likely to open a phishing email. There is no easy solution or magic wand that can make phishing go away. We need to focus on better filtering, developing and executing an ENGAGING and THOROUGH security awareness program, and improve detection and response capabilities.

Vulnerabilities

It's more effective to focus on getting a patch deployment strategy put in place, than trying patching systems as soon as a new patch is in place. Ten CVEs account for almost 97% of exploits observed in 2014. The ten:

  1. CVE-2002-0012 - SNMP

  2. CVE-2002-0013 - SNMP

  3. CVE-1999-0517 - SNMP

  4. CVE-2001-0540 - Memory leak

  5. CVE-2014-3566 - POODLE

  6. CVE-2012-0152 - RDP

  7. CVE-2001-0680 - Directory traversal

  8. CVE-2002-1054 - Directory traversal

  9. CVE-2002-1931 - XSS

  10. CVE-2002-1932 - Log deletion

According to this list, there is still a lot of vulnerabilities from the past that need to be patched. Getting a patching process in place is great for all the new stuff, but don't forget about all the old stuff that came out before the security team was in place.

Mobile

".03% of smartphones per week were getting owned by "high-grade" malicious code."

Android is the worst operating system (everyone saw that one coming) and, "most of the malware is adnoyance-ware and similar resource-wasting infections." This might change in the future, but for now it's not a huge area of concern.

Malware

My favorite line came from this section, "Special snowflakes fall on every backyard," which is in relation to "new" malware getting around anti-virus as being described as "advanced" or "targeted." Not the case according to the report. Malware is being given unique hashes to avoid detection by anti-virus.

Industry profiles

Each organization is unique, which is not earth shattering, but good to understand when looking at internal and external entities.

Impact

There is some supply and demand with data breaches: the higher the amount of records lost; the lower the cost of each record. Keep in mind records only tell half the story when it comes to the impact of a breach. There is fallout, not only within the company but outside it.

Incident classification patterns

96% of data breaches fall into nine basic pattersn:

  1. POS Intrusions - 28.5%

  2. Crimeware - 18.8%

  3. Cyber-Espionage - 18%

  4. Insider Misuse - 10.6%

  5. Web App Attacks - 9.4%

  6. Miscellaneous Errors - 8.1%

  7. Physical Theft/Loss - 3.3%

  8. Payment Card Skimmers - 3.1%

  9. Denial of Service - .1%

These are all from the first half of the report. The other half of the report went into discussing each time of data breach and what we can learn. I highly recommend reading the whole report. Not only is it an easy read, but it gives great insight into the current landscape of breaches


This post first appeared on Exploring Information Security.

Things to know: Jimmy John's and Home Depot breach

I meant to write something up on this last week, but someone found a bug in bash that set my world on fire. I've asked several friends and family if they've heard about the Jimmy John's and/or Home Depot breach and the response has been less than encouraging. So here's the low done on the two breaches.

Home Depot

56 million debit and credit card numbers were stolen between April and September of this year:

Home Depot: 56M Cards Impacted, Malware Contained - Brian Krebs - Krebs on Security

It looks like the breach impacted all Home Depot stores in the US and Canada. If the numbers seem quite low for a four-to-five month breach it's because the self-checkout terminals seem to be the ones that got owned. Either way, if you shopped at Home Depot between April and September, get a new card issued from their bank. They'll be sure to send the bill to Home Depot, so don't let them talk you out of a new card. And oh hey look! Home Depot is offering free identity protection for 12 months. Be sure to sign up for that, but realize that "protection" won't stop nefarious people from using your identity for their own gain.

Official Statement

Jimmy John's

216 stores were found to have been affected by this event and Jimmy John's has been kind enough to provide a search tool for the stores that were owned.

Affected Stores & Dates

Two stores were affected in South Carolina, one of which I've gone to in the last year. Luckily I haven't been there in the last three months. Bullet dodged. The tool is easy to use, just input a store number, city, state, address or date. Using a state's two-letter code should limit the results enough to help you identify if you've been affected by this particular breach. Full details can be found below on the incident.

Data Security Incident

Protect yourself

These are only two of the many breaches that have occurred this year. Goodwill has gotten popped as well as several other smaller and local businesses. Here are some tips for protecting yourself from identity theft that could occur from breaches like these:

Check bank statements regularly. It's ridiculously easy to do and should only take 10-15 minutes. I would recommend trying to check bank statements at least once a week. With online banking it shouldn't take more than 10-15 minutes to pop in and check what's been purchased on all your cards.

Also, I would highly recommend using credit cards instead of debit cards. It's a lot easier to replace a credit card than it is a debit card.

Finally, I would recommend cash, but then you have to worry about skimmers on ATM machines, so I won't. =P

Happy shopping!

This post first appeared on Exploring Information Security.

InfoSec links September 24, 2014

Data Breach Victims or Enablers? - Bill Brenner - Liquid Matrix

Companies that suffer a breach — Home Depot and Target have been among this year’s biggest poster children — are victims. They don’t set out to put their customers’ data in danger and they probably thought they were practicing all due diligence until they discovered the intrusions. But they probably also mistook their compliance check lists for real security and failed to turn security into a company-wide mindset, and that makes them enablers for the hackers who beat them.

Home Depot ignored security warnings for years employees say - Sean Gallagher - ars technica

Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.

Massive Malvertising Network is 9 Times Bigger Than Originally Thought: Cisco - Brian Prince - Security Week

"The “Kyle and Stan” network is a highly sophisticated malvertising network," blogged Armin Pelkmann, threat researcher with Cisco. "It leverages the enormous reach of well placed malicious advertisements on very well known websites in order to potentially reach millions of users. The goal is to infect Windows and Mac users alike with spyware, adware, and browser hijackers."

This post first appeared on Exploring Information Security.

InfoSec links August 26, 2014

Father of PGP encryption: Telcos need to get out of bed with governments - Sean Gallagher - Ars Technica

Doing business with US government customers generally requires the use of National Institute of Standards and Technology (NIST) standards for encryption. But by default, Zimmermann said, Silent Circle uses an alternative set of encryption tools.

“It wasn’t because there was anything actually wrong with the NIST algorithms,” Zimmermann explained. “After the Snowden revelations, we felt a bit resentful that NIST had cooperated with the NSA."

Edward Snowden: The most wanted man in the world - James Bamford - Wired

Despite being the subject of a worldwide manhunt, Snowden seems relaxed and upbeat as we drink Cokes and tear away at a giant room-service pepperoni pizza. His 31st birthday is a few days away. Snowden still holds out hope that he will someday be allowed to return to the US. “I told the government I’d volunteer for prison, as long as it served the right purpose,” he says. “I care more about the country than what happens to me. But we can’t allow the law to become a political weapon or agree to scare people away from standing up for their rights, no matter how good the deal. I’m not going to be part of that.”

Why So Many Card Breaches? A Q&A - Brian Krebs - Krebs on Security

Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them.

This post first appeared on Exploring Information Security.

Thoughts on the Houston Astros data breach

I have a good reason for not having my usual link post up this morning. Yesterday I found out that the Houston Astros, the team I root for on a daily basis, had a data breach. Some of the data taken, made it's way onto Anonbin, so last night I spend five hours putting together 1775 words on the data breach over at The Crawfish Boxes. When I was done, the motivation to write was almost completely gone for me.

Be sure to check my post over there, and be sure to check back tomorrow for my regularly scheduled link post AND a new episode of the Exploring Information Security Podcast.

This post first appeared on Exploring Information Security.