Friday, January 29, 2010

UK data breach report

A new report that covers breaches in UK (mainly in the retail sector) has been published. I wrote about a similar report from US, the Verizon data breach report. The UK Security Breach Investigations Report 2010 is the joint work of 7Safe, the University of Bedfordshire, SOCA, and the Police e-crime unit. The report covers 62 genuine breaches investigated over a period of 18 months. Some of the highlights of this report are:
  • In the cases investigated there were many instances where administrator and user credentials were very weak or easily guessable; allowing an attacker to brute force the account to gain a foothold onto the system
  • Majority of attacks in this study were from external sources
  • In the study 40% of all attacks utilised SQL injection as the source of the compromise with an additional 20% on top using SQL injection combined with another vulnerability such as malware
  • Majority of the cases undertaken (46%) involve a shared hosting environment being hacked
  • Another interesting trend is the increased proportion of website applications being targeted for attack rather than the infrastructure it is hosted upon. The data used for this study shows that in 86% of all attacks, a weakness in a web interface was exploited
Since the majority of cases involved organizations in the retail sector, the breaches involved credit card data. The report lists the PCI compliance level for each of the 12 PCI requirements in the investigated cases. Here are some highlights from PCI section of the report:
  • A staggering 81% of the breached organisations had not changed the system defaults throughout their cardholder data environment
  • The failure of 100% of the breached organisations to comply with requirement 6 is one of the most telling. Require 6 is "develop and maintain secure systems and applications "
  • Whilst many of the organisations investigated actually had firewalls installed, poor configuration of these devices rendered most of them useless.
  • The investigations also revealed that none of the organisations met all requirements of the PCI DSS. Indeed, in just over one quarter of the cases, none of the twelve requirements were met. The maximum number of requirements met by an individual organisation was only 6 out of 12, in approximately 4% of cases.
One major finding I see here is about shared hosting environment being the majority of the cases. We can assume that hackers are now targeting hosting providers because once they are successful in penetrating these systems, they get access to data from multiple businesses. This is one thing to watch out for in the future. 

Other than this, the report does not indicate anything earth shattering, theses are the things that we all preach or everyone is aware of. The interesting thing is that many organizations still don't "get it". It is the responsibility of information security practitioners to make organizations and business unit leaders aware and such reports definitely helps convey the message.

Such forensic analysis reports shows more accurate data since they involve real word breaches rather than user surveys or business perceptions. Such reports can be used to understand the threat landscape and measure where your organization stand in mitigating such type of threats.

No comments: