Tag Archives: Dark Reading

South Carolinas’s Majority of Social Security Numbers Exposed…

In an article in Dark reading, South Carolina officials announced that more than three-quarters of the states social security numbers were exposed in a recent hack. The data included debit and credit card information for the states residents as well. The most concerning issue was that the database that was compromised was not encrypted. As a state agency, it should have been an example to follow rather than one to avoid. The state’s Department of Revenue should have been held to not only federal regulatory requirements, but also PCI. This type of failure is not acceptable.

While not everything has been released as to the cause other than the database was breached and not encrypted, the article states the following:

Although state officials referred to the hack as a “database” breach, they didn’t specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.

Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. “That’s the simplest way in,” he says.

It is easy to make conjecture about how the breach occurred, but it would seem that the necessary due diligence was not followed. Security should be more than a check-box. States and Federal governments should be setting the examples for the rest of business…Another instance where measure twice and cut once should have been put in place…

Tagged , , , , , , , , , , , , ,

Zero-Day Attacks Last Longer Than Zero…

Research from Symantec has been published in ACM on October 16. The research, which was also referenced in articles in SC Magazine and Dark Reading, looks at the amount and duration of zero-day attacks. Specifically:

A zero-day attack is characterized by a vulnerability that is exploited in the wild before it is disclosed, i.e., t0 > te. Similarly, a zero-day vulnerability is a vulnerability employed in azero-day attack. Our goals in this paper are to measure the prevalence and duration of zero-day attacks and to compare the impact of zero-day vulnerabilities before and after t0.

The research within the paper has some important considerations to business and the need for effective patching and defense-in-depth within the enterprise. Specifically, the paper found the following conclusion:

Zero-day attacks have been discussed for decades, but nostudy has yet measured the duration and prevalence of these attacks in the real world, before the disclosure of the corresponding vulnerabilities. We take a first step in this direction by analyzing field data collected on 11 million Windows hosts over a period of 4 years. The key idea in our studyis to identify executable files that are linked to exploits of known vulnerabilities. By searching for these files in a dataset with historical records of files downloaded on end-hosts around the world, we systematically identify zero-day attacks and we analyze their evolution in time.We identify 18 vulnerabilities exploited in the wild before their disclosure, of which 11 were not previously known to have been employed in zero-day attacks. Zero-day attacks last on average 312 days, and up to 30 months, and they typically affect few hosts. However, there are some exceptions for high profile attacks such as Conficker and Stuxnet, which we respectively detected on hundreds of thousands and millions of the hosts in our study, before the vulnerability disclosure. After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude. These findings have important implications for future security technologies and for public policy.

Based on these findings, it will be interesting to see if the various technology vendors, programmers, and business will take this to heart and work harder in getting less vulnerable software and systems to market. Follow on research from this paper could be to evaluate the cost impact associated with zero-day attacks or vulnerabilities that were left unpatched. The reality is that security is about risk acceptance and in some cases the cost may be deemed an acceptable risk by some businesses.

Tagged , , , , , , , , , , , , ,

The Cost of Monitoring Saves You Money…

In an article in Dark Reading, they discuss a recent study that shows the costs of cybercrime are reduced through intelligence, which included monitoring. The study by the Ponemon Institute was a survey tallying the cost of cybercrime. The study surveyed 56 companies and these companies lost on average, $8.9 million due to cyberattacks each year. Based on the survey, companies that detected attacks slowly incurred greater costs. In the 2012 survey, that is to say the companies needed 24 days, on average, to resolve a cyberattack, which in turn created a hefty bill of more than $590,000 per incident — 42 percent more than the previous year.

While many businesses see information technology and especially information security as a cost center, there has always been a hard sell when it comes to proving or showing that the security controls, including network and security monitoring, help in saving money. Most of this is because of the usual hefty price tag that occurs with the implementation and ongoing maintenance of these systems.

According to the article and study:

“Some organizations seem to experience a lower cost, but not a zero cost, if they do certain things,” says Larry Ponemon, chairman and founder of the survey firm. Security intelligence “is really important and helpful — not only in the detection of the cybercrime — but in the containment and ultimately remediation of the crime.”

Companies that had deployed security information and event management systems or intrusion detection systems had, on average, $1.7 million less in cybercrime costs, according to the Ponemon survey. Companies that had implemented access and identity management tools saved $1.6 million, and the deployment of tools to help with governance, regulation, and compliance trimmed $1.5 million.

It is easy to understand that technologies for monitoring and gaining intelligence on threats, “security intelligence” within the report, correlated the most with a reduction in cybercrime costs. As mentioned above, while the costs were not reduced to zero, the reduction provides a good basis for the implementation or continuation of these functions within business.

Tagged , , , , , , , , , , ,

More on Cyber Security Executive Order…

Dark Reading published an article on October 9 about the pending Executive Order on cyber security and what it will mean to an enterprise. As mentioned in a previous post, the executive order is the Obama administration’s response to the fact that Congress did not pass cybersecurity legislation, specifically the Cybersecurity Act of 2012.

Now while the Executive Order would be focused on national critical infrastructure, the article brings up some good points about what impacts and insights this could have on a business. The article noted that the Executive Order would not deal with one of the key points of the act, the sharing of information between government agencies. According to the article:

The issuance of an executive order would not address one of the key elements of the Cybersecurity Act of 2012 – information sharing between the private sector and government. According to former NSA Deputy Training Director Cedric Leighton, information-sharing has to span both sharing between the government and private sector as well as between entities in the private sector itself.

A key point about what businesses are looking for is stated in the article…more specifically three key items:

Rather than checklists, organizations are looking for three distinct things: the current state of a threat, what others are doing about security, and what are the guiding principles that should be considered when developing a security program and strategy, Granado argues. Protecting intellectual property means complicating the process of acquiring inappropriate access, detecting threats and neutralizing threats before they expand, he says.

As noted in the article, a purely defensive “knee-jerk” mentality is not enough and a pro-active stance is needed to effectively secure the information assets of the business and in turn improve the overall risk posture. The idea that the minimum is enough is not enough, that will leave business always behind a curve.

Tagged , , , , , , , , , , , , ,
<span>%d</span> bloggers like this: