Friday, January 29, 2010

UK data breach report

A new report that covers breaches in UK (mainly in the retail sector) has been published. I wrote about a similar report from US, the Verizon data breach report. The UK Security Breach Investigations Report 2010 is the joint work of 7Safe, the University of Bedfordshire, SOCA, and the Police e-crime unit. The report covers 62 genuine breaches investigated over a period of 18 months. Some of the highlights of this report are:
  • In the cases investigated there were many instances where administrator and user credentials were very weak or easily guessable; allowing an attacker to brute force the account to gain a foothold onto the system
  • Majority of attacks in this study were from external sources
  • In the study 40% of all attacks utilised SQL injection as the source of the compromise with an additional 20% on top using SQL injection combined with another vulnerability such as malware
  • Majority of the cases undertaken (46%) involve a shared hosting environment being hacked
  • Another interesting trend is the increased proportion of website applications being targeted for attack rather than the infrastructure it is hosted upon. The data used for this study shows that in 86% of all attacks, a weakness in a web interface was exploited
Since the majority of cases involved organizations in the retail sector, the breaches involved credit card data. The report lists the PCI compliance level for each of the 12 PCI requirements in the investigated cases. Here are some highlights from PCI section of the report:
  • A staggering 81% of the breached organisations had not changed the system defaults throughout their cardholder data environment
  • The failure of 100% of the breached organisations to comply with requirement 6 is one of the most telling. Require 6 is "develop and maintain secure systems and applications "
  • Whilst many of the organisations investigated actually had firewalls installed, poor configuration of these devices rendered most of them useless.
  • The investigations also revealed that none of the organisations met all requirements of the PCI DSS. Indeed, in just over one quarter of the cases, none of the twelve requirements were met. The maximum number of requirements met by an individual organisation was only 6 out of 12, in approximately 4% of cases.
One major finding I see here is about shared hosting environment being the majority of the cases. We can assume that hackers are now targeting hosting providers because once they are successful in penetrating these systems, they get access to data from multiple businesses. This is one thing to watch out for in the future. 

Other than this, the report does not indicate anything earth shattering, theses are the things that we all preach or everyone is aware of. The interesting thing is that many organizations still don't "get it". It is the responsibility of information security practitioners to make organizations and business unit leaders aware and such reports definitely helps convey the message.

Such forensic analysis reports shows more accurate data since they involve real word breaches rather than user surveys or business perceptions. Such reports can be used to understand the threat landscape and measure where your organization stand in mitigating such type of threats.

Tuesday, January 26, 2010

Upcoming Information Security conferences in India

Here are some of the India based events that readers would be interested in attending

  • e-Crime India is specifically designed for senior decision makers and technical experts from global business, government, and law enforcement.  This event brings together 250 delegates from global and regional businesses, as well as heads and directors from leading regional and international law enforcement agencies.  Dates: 23rd & 24th Feb 2010
  • null is proud to announce the launch of it's security & hacking conference nullcon Goa 2010 nullcon Goa 2010, India's first 'community' driven security & hacking conference will bring together Security Researchers, security professionals, vendors, CXOs, Law Enforcements agencies from all over the country to a common platform to discuss latest research in field of Information Security and in particular the major security threats faced by everyone today. Dates: 6-7th Feb 2010

Cost of data breach increased in 2009 - Ponemon study

You need some more data to convince the CFO why the organization need to spend more towards risk mitigation and why you are asking for an increase in budget allocation? A recent report released by Ponemon institute and PGP should help, they found:

  1. An increase in data breach cost per compromised record when compared to 2008
  2. Significant spike in legal defense spending when compared to 2008
  3. An increase in average total per-incident cost
  4. The most expensive data breach event included in the study cost a company nearly $31 million to resolve.

Saturday, January 16, 2010

Google attacks and IE 0-day

This week's big news was about the high profile attack on Google, WSJ reported that "The attack targeted as many as 34 different companies " . Immediately after that, McAfee published a blog entry that explained that the cause of these attacks was an IE 0-day. Microsoft also published an advisory for this 0-day, considering the importance, I would expect an out of band patch release for this vulnerability.

Yesterday, Metasploit project released an exploit for this vulnerability and if you are interested in a video demonstration, check the below link


Yesterday, Microsoft released an out-of-band security update, MS10-002, that addresses the IE vulnerability

Cloud computing - Security issues and remediation steps - Part 3 Final

In this third and final part, I am going to list some of the steps that organizations can take before they decide to get into a cloud computing technology.

How can we prepare for cloud computing from a security perspective?
  • Identify the data
  • Classify the data
  • Identify security requirements based on the criticality, regulatory requirements, local jurisdiction, etc
  • Perform risk assessment
  • Security awareness – educate users and business owners on the risks
  • Identify client and business partner requirements on data protection
  • Assign proper rights
  • Identify and negotiate required SLAs

Cloud computing and security is one of the most talked about issues in the past year or so. Cloud computing has already happened or going to happen for most of the organizations and in some cases without the knowledge of IT. Organizations look for cost savings especially when there is a new business venture and the time to market gets very short.

Considering this, organizations should invest time in preparing for this eventuality and identify the issues beforehand and inform the management on what to check before they want to venture into cloud computing.

However, such an attempt from the cloud providers in closing the issues and identifying a common standard to deal with cloud security is limited. Off late, we are seeing more activity in this area in the form of Cloud Security Alliance, which was formed to promote the use of best practices. Another effort in this area comes in the form of Cloud Computing Incidents Database, which tracks incidents related to cloud computing.