Organisations, regardless of industry and size, continue to face costly data breaches, but the
common attack methods are not necessarily sophisticated and obscure.
So what are the most common ways criminals are getting access to corporate networks?
In many cases, it is through obvious doors into the organisation, such as legitimate remote
access applications, according to John Yeo, director of Trustwave SpiderLabs, Europe.
In the past year, his team has collected data from 300 data breach investigations in 18
countries, 2,000 penetration tests and more than two million vulnerability scans, and published its
findings in the
Trustwave
2012 Global Security Report.
Remote access entry points
The data reveals that in 62.5% of cases, attackers were able to harvest data in transit within
the victim organisation through remote access applications used by internal staff, contractors and
supply chain partners.
"The first problem is that most of the organisations targeted in this way do not know which of
the thousands of apps they use provide remote access," Yeo told Computer Weekly.
In many cases, he said, access points are set up by individual business units or support
organisations that those responsible for IT security are not aware of.
According to the Trustwave report, a third party responsible for system support, development or
maintenance of business environments introduced the security deficiencies exploited by attackers in
76% of cases investigated.
"Outsourcing of system admin is a major risk factor associated with compromise," said Yeo.
"Non-functional security requirements are often left out of outsourcing contracts because the focus
is on getting the job done."
Weak passwords leave systems open to attack
In several cases, investigators found that systems integrators had used the same password across
all customers. "Criminals know this, so when they find a password, they will try that password on
all the customer organisations they are able to identify," said Yeo.
This make many of the organisations relatively easy to target because they are still using weak
or default administrator passwords, he said.
Analysis of two million real-world passwords used within corporate information systems found
that 5% of them used weak passwords such as "Password1" and 1% based on the word "welcome".
"Password1 is commonly used by admins because it satisfies the minimum requirements of eight
characters, at least one upper-case letter and at least one number," said Yeo.
Many companies set up passwords such as "Wecome123" for new starters, which users often fail to
change, but it all boils down to poor administration, he said.
In one instance, TrustWave SpiderLabs found that attackers were able to compromise as many as
250 unique critical systems at a single target location by exploiting duplicate credentials.
Breach detection should be better managed
The next weakness shared by 84% of organisations hit by breaches investigated by Trustwave
SpiderLabs was the inability to detect that their IT systems had been compromised.
According to the Trustwave Global report, only 16% of the organisations breached had detected
the data compromise themselves. The remainder had been informed of the breach by third parties.
"There is still a huge reliance by organisations on regulatory bodies, law enforcement and
credit card payment processors to know if they have been compromised," said Yeo.
Investigations show that on average the time between intrusion and detection is about six
months, compared with just 43 days in organisations that have self-detection capabilities.
There is still a huge reliance by organisations on regulatory bodies, law enforcement and
credit card payment processors to know if they have been compromised
John Yeo, Trustwave SpiderLabs
An allied problem, said Yeo, is that often when someone within an organisation has noticed an
anomaly, nothing has been done. "It is not just about having detection technologies, organisations
also need to have the correct processes in place to ensure action is taken when required," he
said.
Central control is desirable
In this regard, Yeo said it is also important for organisations to be able to correlate security
information across all IT systems. "It is difficult to take action when relevant data is isolated
in various silos within the business," he said.
The absence of a central information security view or control over applications is common among
highly vulnerable organisations, according to Yeo.
A single top-down approach to applications is enabled only when organisations have visibility
across their entire application portfolio. "Knowing what you have got is essential to being able to
rate applications according to their criticality to the business or of the information they
process, and assign the appropriate protections based on that rating," he said.
Yeo said organisations should have a more data-centric approach to security because data is what
they ultimately want to secure. "In theory, at least, if data is secure, it is less important who
has access to the network," he said.
Tips for protecting corporate networks
What other simple things can organisations do to improve their resistance to attack?
There are several quick wins, said Yeo. First, organisations need to set up systems in such a
way that it is impossible to use weak, blank or easily guessable passwords.
"If an attacker is able to get into a network user's account, even if they are on a low level,
it is just a matter of time before they can work their way up to getting into an admin account, and
then it is game over," he said.
Second, organisations should standardise on the hardware and software used by everyone to make
security and management easier. "In a standardised environment, it is less likely that IT will
forget to update systems as they will have a better view and understanding of what is going on,"
said Yeo.
Third, organisations should continually work to raise the security awareness of IT users that is
appropriate to each individual's role in the business, including contractors and other third
parties that have access to corporate systems.
It is also worth noting that organisations which score highly in penetration testing typically
use two-factor authentication methods. "This makes it more difficult for attackers to gain entry
through automated password guessing," he said.
More resilient organisations also typically use web application firewalls, which provide a base
level of protection against many common web-based attacks, said Yeo.
New data protection rules
Yeo believes it will. "In many organisations, data protection is seen as an IT problem, but the
proposed regulations require company directors to take ownership," he said.
The regulations also make breach disclosures mandatory, which means ignorance is not a defence
for non-disclosure, therefore knowing what is going on will be a basic requirement of company
leaders.