Data Breaches Attack All Parts Of A Business

Uploaded on 2017-03-27 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Data breaches are an enterprise problem involving legal counsel, human resources, corporate communications and other incident response (IR) stakeholders, say Verizon.

This is based on Verizon’s Data Breach Directory (DBD) case files that provide most of the data for its Data Breach Investigations Report (DBIR), and the latest report lists the 16 most common or lethal data breach scenarios from the point of view of IR stakeholders.

Each scenario is based on anonymised real-world data breach responses and is designed to resonate with IR stakeholders to help them improve their future contributions to data breach responses.

The DBD also maps incident patterns, showing that the accommodation and food services industry needs to focus on point of sales (PoS) intrusions and distributed denial of service (DDoS) attacks, for example, while public administration should focus on insider threats, privilege misuse and crime-ware.

“Companies need to be prepared to handle data breaches before they happen in order to recover as quickly as possible, otherwise breaches can lead to enterprise-wide damage that can have devastating and long-lasting consequences, such as loss of customer confidence,” said Bryan Sartin, executive director of Verizon’s computer forensics practice.

“The DBD is designed to help businesses and government organisations understand how to identify signs of data breach, important sources of evidence and ways to investigate, contain and recover from a breach quickly,” he said.

The report also highlights five actions organisations should take after a breach:

  • Preserve evidence and consider the consequences of every action taken.
  • Be flexible enough to adapt to evolving situations.
  • Establish consistent methods for communication.
  • Know your limitations and collaborate with other stakeholders when necessary.
  • Document all actions and findings, and be prepared to explain them.

“Preserving evidence is very important, but often investigators are told that an affected machine has been wiped and consequently they have very little to work with,” said Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions.

“In addition to preserving evidence and documenting absolutely everything, it is also extremely helpful if organisations can give investigators a ‘golden image’ for machines because that makes it easy to eliminate everything that should be there, so we can concentrate on whatever remains,” he said.

The “Absolute Zero” scenario deals with the human element in the form of security risks of disgruntled employees and maps to the human resources department, for example, while the “Panda Monium” deals with conduit devices, specifically security risks of internet of things (IoT) devices and maps to the incident response commander.

Each scenario indicates the sophistication level, the associated incident pattern drawn from the DBIR, the time to discovery, the time to containment, the industries typically targeted, the threat actor involved, typical motives, key IR stakeholders and recommended countermeasures.

Panda Monium scenario

In the case of the Panda Monium scenario, involving IoT devices within an organisation being used to carry out a DDoS attack on the organisation, the sophistication level is 2 to 3, the incident pattern is DDoS attacks along with privilege misuse and crime-ware, the time to discovery is normally measured in hours, time to containment is also measured in hours, threat actors are likely to include activists and state-affiliated actors.

Motives are likely to include grudges and ideology, tactics are likely to include privilege abuse and the exploitation of vulnerabilities, targeted industries are likely to include education and manufacturing, and stakeholders include the incident commander as well as legal counsel and corporate communications.

Although this kind of attack is not common, it is currently classified as “lethal” because it can paralyse organisations, but it is likely to become more common in future, said Dine.

Verizon notes that security is often an afterthought when it comes to IoT devices, which means these devices are often vulnerable to a wide array of threats.

The scenario included in the DBB is about a university that was experiencing slow or inaccessible network connectivity that was eventually linked to a type of denial of service (DoS) attack that used vending machines and other IoT devices on the university network to carry out domain name system (DNS) lookups for subdomains related to seafood.

“This was an unusual case because the university’s own IoT infrastructure was being used to slow down the network through DNS lookups rather than external IoT devices being used in a classic DDoS attack to bombard the target with online requests,” said Dine.  

The firewall analysis identified more than 5,000 discrete systems making hundreds of DNS lookups every 15 minutes, with nearly all systems on the segment of the network dedicated to the university’s IoT infrastructure.

Analysis of the domains requested identified that only 15 distinct IP addresses were returned, and four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet.

Although Verizon is unwilling to confirm any details, the fact that the incident took place in the past year and that the botnet spread from device to device by brute-forcing default and weak passwords, makes it likely that the scenario is based on an attack by the Mirai botnet or one of its variants.

Once the password was known, the DBB said the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password, locking investigators out of the 5,000 affected systems.

Analysis of previous malware samples had shown that the control password, used to issue commands to infected systems, was also used as the newly updated device password. These commands were typically received via hypertext transfer protocol (HTTP) and, in many cases, did not rely on secure sockets layer (SSL) to encrypt the transmissions.

Assuming that this was also the case in the university attack, incident responders set up a full packet capture capability to inspect the network traffic and identify the new device password. Once captured, the information was used to perform a password change before the next malware update to regain control of all IoT devices and remove the malware infection.

The DBD recommends the following mitigations/countermeasures:

  • Create separate network zones for IoT systems so they are air-gapped from other critical systems.
  • Do not allow direct ingress or egress connectivity to the Internet.
  • Implement an in-line content filtering system.
  • Change default credentials on devices.
  • Use strong and unique passwords for device accounts and Wi-Fi networks.
  • Regularly monitor events and logs to hunt for threats at endpoints and at the network level.
  • Scan for open remote access protocols on your network.
  • Disable commonly unused and unsecured features and services, such as Universal Plug and Play.
  • Include IoT devices in IT asset inventory.
  • Regularly check manufacturer websites for firmware updates.
  • Ensure secure configurations for hardware and software.
  • Limit and control network ports, protocols and services.
  • Secure configurations for network devices such as routers and switches.

The DBB recommends that anyone responding to an IoT security incident should:

Develop and follow predesigned IR playbooks to tackle IoT device-related incidents.
Scope and contain the incident immediately by segregating the affected subnet.
Restrict network ingress and egress communication to/from the affected subnet.
Change admin or console passwords of the IoT systems and controllers.
Use network forensics, to include network logs, NetFlow data and packet captures.
Consider informing law enforcement and government computer emergency response teams.

The DBB notes that the rapid proliferation of IoT devices has led to as many new issues as the underlying devices were intended to solve.

“The underlying problem is that many IoT manufacturers are primarily designing their devices for functionality, and proper security testing often takes a back seat,” the report said. “It is even more necessary with IoT devices that the buyer scrutinises the security of any devices they use.”

According to Verizon, IoT botnets spread quickly because they do not face some of the problems conventional botnets do, due to the fact that IoT devices are often rarely patched or updated.

Also, the makers of IoT devices, along with the users that own and operate them, are not always directly affected by a compromise or even immediately aware that their devices played a role in a cyber security incident.

In a number of these circumstances, the IoT environment used in an attack is not actually the intended victim, but rather an involuntary accomplice that is being used to attack an unrelated third-party target, the report said.

“IoT threats go well beyond a typical security breach where concerns revolve around the theft of confidential data. In this new age of IoT breaches, we are seeing a growing and wide-ranging impact in our physical world as well as on human life and even a changing financial and legal liability landscape,” the report said, adding that this should prompt organisations to think about IoT threat modelling in a way that incorporates security and privacy by design.

“An IoT solution requires a detailed and comprehensive security and privacy framework, an area that, unfortunately, still requires a lot of work on design, as well as a substantial impetus on collaboration by the IoT market players on the underlying security,” the report said.

Computer Weekly

Directors Report January 2017. Cyber Security Checklist For Management (£):

 

 

« Ethics of Drones, Remote Weapons and Robots
Stealthy Malware Is Going Mainstream »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IOActive

IOActive

IOActive serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture.

Vertical Structure

Vertical Structure

Vertical Structure services include Security & Penetration Testing, Information Assurance, Bespoke Training Programs and Secure Hosting.

Delta Risk

Delta Risk

Delta Risk is a global provider of managed security services and cyber security risk management solutions to government and private sector clients.

Careerjet

Careerjet

Careerjet is a leading online job search engine with a large presence worldwide, sourcing millions of job ads from thousands of websites from all over the world in areas including Cybersecurity.

IoT Security Institute (IoTSI)

IoT Security Institute (IoTSI)

IoT Security Institute is an academic and industry body dedicated to providing frameworks and supporting educational services to assist in managing security within an Internet of Things eco-system.

CYBER.ORG

CYBER.ORG

CYBER.ORG's goal is to empower educators as they prepare the next generation to succeed in the cyber workforce of tomorrow.

Spamhaus

Spamhaus

Spamhaus is the world leader in supplying realtime highly accurate threat intelligence to the Internet's major networks.

Cyber Security Cooperative Research Centre (CSCRC)

Cyber Security Cooperative Research Centre (CSCRC)

The CSCRC provides frank and fearless research and in-depth analysis of cyber security systems, the cyber ecosystem and cyber threats.

Quad9 Foundation

Quad9 Foundation

Quad9 is a free security solution that uses DNS to protect your system against the most common cyber threats. It improves your system's performance, plus, it preserves and protects your privacy.

CryptoDATA

CryptoDATA

CryptoDATA develops products and services based on Blockchain technology, that ensure user security and data encryption, applicable in various fields.

risk3sixty

risk3sixty

Risk3sixty are information and cyber risk management craftsmen helping build business-first security and compliance programs.

Flotek

Flotek

Flotek is an IT & Comms service provider delivering SMEs with trusted, innovative and cost effective cloud technology, with confidence, clarity and clout.

CyberSecureRIA

CyberSecureRIA

We founded CyberSecureRIA specifically to secure and support RIAs. We exist to secure SEC-registered RIAs, and keep them compliant with cybersecurity regulations.

VeriBOM

VeriBOM

VeriBOM is a SaaS security and compliance platform that helps protect you and your customers through automation, documentation, and transparency for every software application you build or run.

Haiku

Haiku

Haiku stands at the forefront of cybersecurity upskilling, leveraging video games to immerse you in a flow state for accelerated, enduring learning.

Blue Mantis

Blue Mantis

Blue Mantis is a security-first, IT solutions and services provider with a 30+ year history of successfully helping clients achieve business modernization.