Only 16 per cent of organisations that faced a breach in 2011 detected it prior to a notification by a third party, according to an analysis of investigations conducted last year by [[xref: https://www.trustwave.com/pressReleases.php?n=trustwave-report-reveals-global-data-breach-and-security-trends |Trustwave's SpiderLabs security team|]].
The vast majority, 84 per cent, were informed by either a regulatory body, law enforcement or the public, and on average the attackers behind the breach that was discovered by a third party had 173.5 days to rummage around the target’s environment.
The report shows that the time between the initial breach and when an investigation takes place is up to three years.
The important figure that distinguishes self-identification to discovery from an external source was that in the case of self-identification, the organisation knew of the breach on average after 43 days rather than 173 days.
Currently the most common way for an organisation to discover they have been breached is through regulatory notification. In a third of the cases law enforcement notified the organisation, up from just 7 per cent in 2010.
One of the most common methods of infiltrating corporate IT systems was weak administrator username and password combinations.
A particular risk for organisations was IT outsourcing arrangements, which provided third-party VPN access to internal systems. Hackers scan the web for ports used by remote access applications, which remain highly vulnerable when default configurations are left in place. Sixty-one per cent of infiltration cases occurred using this method and 19.9 per cent occurred through weak credentials or client side attacks.
Client side attacks were primarily (60 per cent) caused by system admins using production environments for personal use, such as accessing personal email accounts, social networking sites and Flash and Java-based gaming sites.
SQL injection attacks were also in 6.9 per cent of the incidents SpiderLabs investigated.
In terms of getting data out of the organization, attackers often exploited the lack of “egress” our outbound filters. Firewall deficiencies were behind 84 per cent of successful exfiltration cases. Correct firewall configurations should ensure data is being sent to the propoer location, over the proper port, using an authorised protocol, Trustwave points out.
Australia: POS systems in focus.
Trustwave reports that investigations its Spider Labs division conducted in Australia focused primarily on point of sale (POS) systems, such as the PIN entry device used to read cards and collect PINs.
While attacks on improperly stored data on the PIN device were more common, its investigators picked up the first data “in transit” attack in late 2011, marking a migration of an attack technique already seen in the US and Europe.
In the case of an in-transit attack, the criminal would use memory dumping malware that intercepts and captures clear-text payment card data transmitted between the PIN entry device and the POS system.
It did not disclose how many investigations it has conducted in Australia, but said that 90 per cent of its investigations in the APAC region related to payment card data compromises, noting that attacks had shifted away from e-commerce sites towards POS systems.