Data thieves use simple hacks, go undetected for months
Posted on | October 9, 2009 | 5 comments
What do TJX and Heartland Payments System– and now PayChoice – have in common?
They are among thousands of business entities hit by data heists that involved very simple hacking techniques.
LastWatchdog’s investigative report on this topic hit newsstands today on the Money cover section of USA TODAY — and will circulate in airports and hotels globally over this weekend.
The story sheds light on how overly complex IT systems are producing vast opportunities for data thieves to break in — and go undetected – with shocking ease.
Data thieves routinely go undetected for months
The metric that really hammers this home comes from p.22 of the Verizon Business 2008 Data Breach Report. In probing more than 500 data breach cases, investigators found that it usually takes hours to days for hackers to home in on jackpot databases, once they break in. What’s worse, in 63% of these 500 cases it took the victim companies months — yes months! — to discover they’ve been breached.
Here’s the version of that stunning metric that’s in 1.88 million copies of USA Today in news racks around the world today:
“This tells us that hackers are not just punching through and grabbing data in a matter of seconds,” says Wade Baker, director of research at Verizon Business Risk Team. “Once they get inside they have to find the systems that have the data they want, and get their hands on it. That takes a little bit of time.”
The fact that many organizations are spending hefty amounts for sophisticated intrusion detection systems, yet not noticing thieves draining their data hints at information overload.
“With hundreds of thousands of events taking place, you’re really looking for a needle in the haystack,” says Baker. “The breach gets lost in all the numbers.”
There’s more to the story. Click here for the full narrative.
Patient guidance was also supplied by Bob Hansmann at Blue Coat; Matt Marshall at RedSpin, Ivan Arce and Alex Horan at Core Security; Joe Stewart at SecureWorks; Steve Dauber and Mike Lloyd at RedSeal; Andy Bokor at Trustwave; and others who shall remain unnamed. Much appreciated, gentlemen.
Hopefully, this story will bring focus to the debate over what course needs to be taken. Do corporations need to extend their layered defenses, or do they need to focus on closing security holes in their software applications. Or maybe a little of both.
Comments below are encouraged.
Illustration and chart by USA Today
–By Byron Acohido
Comments
5 Comments »
RSS feed for comments on this post.
The “Bad Actor” has the advantage as they only need one opening to establish a foothold within a given company. The actors are professional, efficient, and motivated. They are leveraging the Internet to deliver Malware payloads that enable many of these attacks. Corporations must work to reduce complexity and gain greater control of their IT environments. This of course means that restrictions must be put in place on users and technologies to limit exposure.
Don DeBolt
Director of Threat Research
CA-ISBU
Comment by Don DeBolt — 10/9/2009 @ 1:36 pm
Don Debolt: We do Prevent Net breaches and we soon will launch the company. Unlike the 30 year track record of the S/W industry and no science, we are 100% Science backed and we have many satisfied clients including the Canadian Govt. Dept of Public Safety,(DHS) and the US AF & Navy, and commercial clients too. Almost ready to launch, so for an advanced briefing, please email me directly: continuump@gmail.com
BobP/CEO
Comment by Bob Pollock, CEO — 10/11/2009 @ 10:01 am
Byron: Your going to blow your ” SCOOP” if you continue to procrastinate! .Please contact me……
BobP/CEO
Comment by Bob Pollock, CEO — 10/11/2009 @ 10:05 am
You’re exactly right Byron. And the sad fact is that the bad guys often make a small investment and yield a big (until caught). Your examples also point to a gap in the PCI standard regarding the internal movement of data, where there’s not a requirement to encrypt it – yet. And while credit cards are often the focus of companies, so much other personally identifiable information (PII) exists out there and are being breached as well.
Gary Palgon
VP Product Management
nuBridges, Inc.
Comment by Gary Palgon — 10/12/2009 @ 2:32 pm
It seems that the sheer ubiquity of complex targeted attacks and the recognition of the widespread availibility of assailable vulnerabilities (including via regulatory activity) is finally pushing companies and government organizations to get proactive with IT security.
Unfortunately in the business world there has been a longstanding resistence to investment in vulnerability management and self assessment initiatives as it’s hard to sell execs on the ROI of processes that aim to prevent something that hasn’t happened yet.
Great piece as always Byron.
Matt Hines
Core Security Technologies
Comment by Matt Hines — 10/14/2009 @ 8:10 am