Layer Seven Security

Verizon Data Breach Investigations Report (DBIR) 2013: ‘This isn’t a threat you can afford to ignore’

The breadth and depth of the 2013 Verizon Data Breach Investigations Report (DBIR) is unprecedented. Released this Monday, the reports brings together the investigations performed by nineteen law enforcement agencies, research institutions and private security firms that combat data breaches including the European Cybercrime Centre (EC3), U.S Secret Service and the Department of Homeland Security. The global study represents the most comprehensive assessment of the drivers of information leakages. The findings and recommendations in the study are based on the analysis of 47,000 security incidents and over 600 confirmed breaches. They provide an unparalleled insight into attackers and their methods, enabling organizations to establish more effective countermeasures against such threats.

Verizon DBIR 2013 Key Fin

Threat Actors

The study categorizes threat actors into three key groups: Organized Crime, State-Affiliated and Activists. These groups tend to originate from distinct regions, target different types of assets and data, and employ distinctive attack methods. Organized crime actors, for example, generally stem from Eastern Europe and North America and target financial information in companies within the finance, retail and food industries using methods such as hacking and malware.

Verizon DBIR 2013 Threat Actor Profiles

Activists comprise the largest group and are generally opportunistic. Organized criminals are more targeted but not as targeted and relentless as state-sponsored spies that use the most sophisticated methods to steal intellectual property, financial data or insider information from organisations. The graph below demonstrates that state-sponsored actors target a variety of sectors including education, finance and utilities. Nearly three-quarters of espionage attacks were targeted not at the public sector but at companies within manufacturing, professional services and transportation industries.

Verizon DBIR 2013 Victim Industries

Threat Actions

All threat actors employ hacking and malware methods to varying extents. This includes brute force attacks, spyware, backdoors, SQL injection, and the use of stolen credentials. Hacking involves attempts to access information systems usually through bypassing logical security measures, whereas malware is the use of malicious software, scripts or code, designed to alter the performance of systems. Both methods are increasingly scalable, automated and anonymous due to the greater accessibility of systems through the Internet and interconnectedness between systems and organizations.

Verizon DBIR 2013 Threat A

Recommendations

According to the DBIR, “All kinds of organizations, from government agencies to iconic consumer brands, internet startups to trusted financial institutions have reported major data breaches in the last year. Nobody’ immune, no target is too small, or too large. The methods used by hackers to gain access to data are numerous, wide-reaching and ever-growing. This isn’t a threat you can afford to ignore”.  Although attacks may be inevitable, there are clear, concrete measures that organisations should undertake to prevent such attacks from leading to data breaches. Breaches not only have the potential to cause financial and reputational harm, they increasingly require public disclosure: the European Union is expected to introduce mandatory reporting requirements this year. Forty-six states of the U.S have already done so. Furthermore, SEC reporting requirements mandate public companies to disclose the nature and extent of cybersecurity incidents to shareholders through corporate filings.

Organisations should implement common security measures to minimize the risk of a data breach, as well as detect and contain successful attacks. The specific recommendations made by the study include the implementation of the 20 Critical Security Controls (CSC) advocated by the Consortium for Cybersecurity Action (CCA). The controls are listed in the table below.

rizon DBIR 2013 CCA CSC

The following table maps the CSC to the most common threat actions identified by the DBIR and demonstrates that effective data breach prevention strategies require a combination of measures in the areas of people, process and technology.

Verizon DBIR 2013 CCA and Threat Actions

The majority of the 20 Common Security Controls are directly applicable to SAP systems. The improper configuration of SAP applications, platforms, programs and clients can expose such systems to many of the threats identified by the DBIR and the risk of a data breach. The consequences can be disastrous when poorly configured systems are combined with inadequate boundary and malware defenses, insecure network and landscape architectures, ineffective access controls, and the absence of regular vulnerability assessment and penetration testing. Layer Seven Security has developed a comprehensive white paper to guide SAP customers on measures required to secure SAP systems against data breaches. The paper advocates a strategy based on the concept of defense in depth. You can download the paper here.

Countering the Threat of Corporate Espionage

According to the results of a survey released by HBGary during the recent 2013 RSA Conference in San Francisco, more than 70 percent of American investors are interested in reviewing the cybersecurity practices of public companies and nearly 80 percent would not invest in companies with a history of cyberattacks. The survey of 405 U.S. investors also found that more than 66 percent of investors are likely to research whether a company has been fined or sanctioned for data breaches before making an investment decision. The survey underscores the fact that today’s investors are acutely aware of the impact of a successful breach on brand reputation and financial performance. This includes the breach of both customer data and intellectual property (IP).

Although the former tends to attract more public attention, the latter has a more pervasive effect on corporate competiveness and performance. A 2012 FBI report entitled Economic Espionage: A Foreign Intelligence Threat to American Jobs and Homeland Security revealed that the cost of IP theft to U.S companies resulting from commercial espionage was over $13 Billion in the last fiscal year. IP-intensive industries account for almost 35 percent of U.S. gross domestic product (GDP) and over 60 percent of merchandise exports. Furthermore, they support 40 million jobs in the United States.

Legal protections such as copyrights, patents and trademarks do not effectively protect intellectual property that is susceptible to theft to regions in which such protections are ineffectively enforced. The importance of IP to the national economy and the difficultly of enforcing rights outside the U.S has led the Department of Homeland Security to brand IP theft as one of the most dangerous threats to national security. In the words of the Assistant Director of the FBI’s Counterintelligence Division, “with each year, foreign intelligence services and their collectors become more creative and more sophisticated in their methods to undermine American business and erode the one thing that most provides American business its leading edge; our ability to innovate.” In a statement to a subcommittee of the House of Representatives last year, the Assistant Director cited the efforts of a foreign corporation to extract information related to the production of titanium dioxide from the DuPont Corporation in 2011. DuPont is an industry leader in the market for titanium dioxide, estimated to be worth $12 Billion.

Although IP theft is far from new, it is amplified by globalization, the increasing interconnectedness of business partners and the accessibility of electronically-stored intellectual property.

In response, the U.S Government Accountability Office (GAO) recommends a variety of technical controls designed to manage access to information, ensure system integrity and encrypt sensitive data. This includes measures to safeguard network boundaries, enforce authentication and authorization, protect against malware, secure communication paths, and analyze, detect and patch vulnerabilities.

The protection of intellectual property within SAP environments requires a combination of countermeasures covering the triad of people, process and technology. The importance of the first and second of these areas should not be understated. Data breaches often result not from the absence of effective technical controls but employee actions or inactions caused by a lack of awareness and training. Therefore, data protection policies and procedures, including incident response plans, are an important component of strategies to safeguard intellectual property. Process-level measures should include risk assessments to isolate and classify IP, and to identify relevant threats.

Technical countermeasures should include secure landscape architectures. Firewalls and proxy servers should be used to filter access to SAP systems with properly configured ingress and egress rules. Furthermore, network traffic should be monitored and controlled through in-line intrusion prevention systems and Security Information and Event Management (SIEM) systems capable of detecting and responding to certain types of attacks. Data Leak Prevention (DLP) technologies can also be deployed to block the exfiltration of confidential data. Unfortunately, network-level controls are often side-stepped by targeted and sophisticated attacks. DLP, for example, can be by-passed by encoding, encrypting and transmitting data out of corporate networks using protocols such as VOIP rather than methods such as SMTP and FTP, commonly monitored by DLP systems.

Therefore, technical countermeasures must be applied within multiple, interdependent areas to safeguard SAP assets. This includes application, platform, program and end-user areas. Layer Seven Security’s new white paper, Defense in Depth: An Integrated Strategy for SAP Security, outlines a layered approach to protecting data in SAP systems. The paper discusses methods to secure SAP applications, programs, servers, databases, and other components against attacks that attempt to exploit common weaknesses in such environments and extract proprietary, sensitive and valuable forms of intellectual property from organizations.