DBIR INDUSTRY SNAPSHOT: FINANCE AND INSURANCE



Similar documents
DBIR SNAPSHOT: INTELLECTUAL PROPERTY THEFT

2012 Data Breach Investigations Report

Defending Against Attacks by Modeling Threat Behaviors

2010 Data Breach Investigations Report

INVESTIGATIONS REPORT

ATM FRAUD AND COUNTER MEASURES

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

September 20, 2013 Senior IT Examiner Gene Lilienthal

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

IBM Security re-defines enterprise endpoint protection against advanced malware

INDUSTRY OVERVIEW: FINANCIAL

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Beyond the Hype: Advanced Persistent Threats

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Security A to Z the most important terms

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Franchise Data Compromise Trends and Cardholder. December, 2010

Incident Response. Six Best Practices for Managing Cyber Breaches.

Impact of Data Breaches

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Spear Phishing Attacks Why They are Successful and How to Stop Them

WEB ATTACKS AND COUNTERMEASURES

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

The Business Case for Security Information Management

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Protecting your business from fraud

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Stay ahead of insiderthreats with predictive,intelligent security

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

SIEM is only as good as the data it consumes

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Network and Host-based Vulnerability Assessment

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Rational AppScan & Ounce Products

Comprehensive Advanced Threat Defense

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

I ve been breached! Now what?

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Penetration Testing Report Client: Business Solutions June 15 th 2015

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Targeted attacks: Tools and techniques

Fighting Advanced Threats

Whitepaper. Advanced Threat Hunting with Carbon Black

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

10 Quick Tips to Mobile Security

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

V ISA SECURITY ALERT 13 November 2015

FRAUD ALERT THESE SCAMS CAN COST YOU MONEY

Why The Security You Bought Yesterday, Won t Save You Today

Breaking the Cyber Attack Lifecycle

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Network Security & Privacy Landscape

ENTERPRISE MOBILE THREATS. 2014: A Year In Review. I. Introduction. Methodology. Key Highlights ENTERPRISE

Information Technology Security Review April 16, 2012

White Paper: Are there Payment Threats Lurking in Your Hospital?

NATIONAL CYBER SECURITY AWARENESS MONTH

Network Security Audit. Vulnerability Assessment (VA)

KEY STEPS FOLLOWING A DATA BREACH

Breach Found. Did It Hurt?

Basic Security Considerations for and Web Browsing

Protecting against cyber threats and security breaches

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Transcription:

DBIR INDUSTRY SNAPSHOT: FINANCE AND INSURANCE A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-crime Unit, and United States Secret Service.

DATA BREACH INVESTIGATIONS REPORT A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-crime Unit, and United States Secret Service.

Verizon s annual Data Breach Investigations Report (DBIR) 1 analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who s stealing it, why they re doing it, how the victims responded, and what might have been done to prevent it. This Industry Snapshot draws information from the DBIR data set, but is focused exclusively on approximately 190 confirmed data breaches over the last two years within the Finance and Insurance industry 2. As with the annual DBIRs, the findings in this Snapshot are arranged using the Vocabulary for Event Recording and Incident Sharing (VERIS) 3 framework and based on breaches investigated by Verizon s RISK Team or one of our partner organizations, which include the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-crime Unit, and United States Secret Service. Also like the DBIRs, all incidents in this snapshot involved confirmed unauthorized access and exfiltration of non-public information rather than potential exposures and other data-at-risk events. DBIR INDUSTRY SNAPSHOT: FINANCE AND INSURANCE SUMMARY OF FINDINGS Organizations in the Finance and Insurance industry face some unique challenges with regard to information protection. While not immune to routine opportunistic attacks by miscreants who continually scour the Internet for easy pickings, their status as a high-value target means they attract significantly more directed and tenacious criminal attention. Because of this, they typically have a higher degree of maturity around security controls and processes, especially when compared to other industries like Retail and Accommodation and Food Services. But no defense is foolproof, and adversaries especially determined ones adapt. And that s one of the main lessons the Finance-specific DBIR data reinforces. No defense is foolproof, and adversaries especially determined ones adapt. Overall, breaches in this sector were primarily about the money, whether targeting it directly (by accessing internal accounts and applications) or indirectly (through downstream fraud). Attackers appear to be leveling their sites on assets core to the business model of many financial organizations, like Automated Teller Machines (ATMs), web applications, and even employees. The methods used to compromise them are as diverse as the assets themselves: physical tampering, stolen credentials, SQL injection, and social engineering all occurred at levels not seen in other industries. Although these findings do not suggest an easy, all-inclusive list of steps to keep financial organizations out of the headlines, they do shine some light on problem areas that can lead to more informed decisions. The methods used to compromise assets are diverse: physical tampering, stolen credentials, SQL injection, and social engineering. 1 To learn more about the DBIR series, visit verizon.com/enterprise/dbir. 2 We use the North American Industry Classification System (NAICS) to classify victim organizations. Descriptions of this and other industry groups can be found at census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012. 3 For more information on VERIS or any of the classifications used in this report, see veriscommunity.net. 1

VICTIM DEMOGRAPHICS Apart from the obvious industry commonality, the primary demographic observation to make about the victims in this snapshot relates to size. Table 1 gives a breakdown of breach victims based on the number of employees. While this may appear like an even spread across all categories, it is, in fact, skewed towards larger organizations. This is especially so when compared with other industries in our sample. Across all incidents in the 2012 DBIR, about 80% of victims had fewer than 100 employees (compared to 1 in the Finance and Insurance industry). What exactly can we draw from this statistic? To be honest, it s difficult to know for sure. Financial service organizations generally tend to be larger than, for instance, retail and restaurant franchises, and this may simply be a reflection of that. It could also indicate a comparatively higher level of security awareness and preparedness among even the smaller financial firms. Perhaps criminals actively target larger organizations in this industry, hoping to score a bigger or more valuable haul. Table 1. Organizational size (number of employees) by number of breaches in the Finance and Insurance industry 1 to 10 3 11 to 100 12 101 to 1,000 41 1,001 to 10,000 20 10,001 to 25,000 12 25,001 to 50,000 2 50,001 to 100,000 6 Over 100,000 38 Unknown 54 THREAT AGENTS Entities that cause or contribute to an incident are referred to as threat agents. VERIS recognizes three main categories of agents: those originating outside the victim organization (external), those inside the victim organization (internal), and those involving any third party sharing a business relationship with the victim (partner). Figure 1. Threat agents by percent of breaches in the Finance and Insurance industry 96% In a finding unlikely to shock anyone, breaches perpetrated against Finance and Insurance organizations were almost exclusively motivated by financial or personal gain. Threat agents, whether external or internal, seek to either gain direct access to money or nab information that can (through various and sundry schemes) be converted into it. Threat agents seek to either gain direct access to money or nab information that can be converted into it. 9% External Internal Partner Evident from Figure 1, external threat agents were by far the most prevalent, and they consisted largely of professional criminal groups around the world (Eastern Europe being the largest origin of attack). These groups are notorious for knocking over smaller, low-risk targets in droves, but some of them do specialize in or branch out to larger, harder (and usually juicier) targets like those found in the Financial sector. 2

Given such a strong showing for external threat agents, it s tempting to overlook the 9% of breaches involving employees of the victim organization (the overlap indicates some collusion between external and internal agents). The insiders involved were typically those responsible for handling financial transactions, such as bank tellers and loan officers. Nine percent may seem like a small number, but Finance has one of the highest rates of internal breaches in our data set. It s also important to note that we see many incidents perpetrated by insiders that don t meet our requirements for inclusion in the DBIR. For example, a bank employee who fraudulently withdraws or transfers funds will be guilty of theft, but not necessarily data theft (unless they access restricted information and/or provide it to unauthorized parties). If that type of insider fraud were included, the numbers for internal threat agents in the finance and insurance industry would dwarf those in other industries. THREAT ACTIONS Threat actions describe what the threat agent did to cause or to contribute to the breach, and Figure 2 shows a categorical breakdown of those used against Finance and Insurance victims. The long blue bar corresponding to Physical threats may be a bit of a surprise, since most associate breaches with cyber attacks. Yet the goal of the DBIR is to record and analyze all manner of data compromise events, however they may occur. The net result is the same whether data was taken out through a network backdoor or through a physical one. With respect to the results at hand, nearly all breaches in the Physical category involved the installation of skimming and camera devices on ATMs to capture magnetic stripe data and PINs (see tampering and surveillance in Table 2). Recognizing the ratio of physical attacks depicted here may help inform risk management practices within this industry. Figure 2. Threat action categories by percent of breaches in the Finance and Insurance industry Malware 24% Hacking 22% Social 1 Misuse 9% Physical 6 Error 2% Another important takeaway from Figure 2 is that the threat actions are relatively balanced (at least when contrasted against other industries). This is likely due to a comparatively more robust security posture exhibited by the typical financial institution, enabling it to withstand the highly-opportunistic and simplistic attacks that succeed against softer targets. When these initial volleys fail, attackers either move on to another victim or diversify/intensify their methods. Since organizations in the Finance and Insurance industry are often targets of choice rather than opportunity, some criminals will continue to poke (using various techniques) until they find a hole. This results in a more diverse threat landscape, and, therefore, the need for a more diverse control landscape. 3

Table 2. Threat action varieties by percent of breaches in the Finance and Insurance industry Rank Variety Category Breaches 1 Tampering Physical 6 2 Surveillance Physical 30% 3 Keylogger/Form-grabber/Spyware (capture data from user activity) Malware 17% 4 Use of stolen login credentials Hacking 16% 5 Backdoor (allows remote access/control) Malware 14% 6 Exploitation of backdoor or command and control channel Hacking 12% 7 SQL Injection Hacking 10% 8 Brute force and dictionary attacks Hacking 9% 9 Buffer overflow Hacking 9% 10 Send data to external site/entity Malware 9% Aside from the physical actions, there are several additional interesting points to note. The presence of keyloggers near the top of the list isn t a surprise; we see this in most other industries. This variety of malware typically captures usernames and passwords entered into applications via the keyboard. Using those stolen credentials to infiltrate systems is the next step in the attack chain, and, logically, it s also the next action on the list in Table 2. Criminals have come to realize that it s often easier to come and go as they please, using valid credentials and avoiding attention, than it is to find and exploit other system vulnerabilities. Criminals realize it s easier to come and go as they please, using valid credentials and avoiding attention, than it is to find and exploit other system vulnerabilities. Exploitation of default credentials is missing from the list, while backdoors and SQL injection are present. The former is the bane of countless small-to-medium businesses in our data set, while the latter two continuously challenge even the largest organizations. Backdoors offer a convenient and stealthy way to circumvent a strong network perimeter, and SQL injection targets web applications that play a critical role in the business model of many financial institutions. Further to this point, web applications served as the vector of attack in over 70% of all actions in the Hacking category. Finally, when malware was used in a breach, approximately half of the time it was installed by the attacker after they gained access via some other means. Fewer than one in five incidents involved malware that was installed through network propagation or via the browser (the method most assume to be the biggest infection vector). The difference there leads us to conclude that malicious software was used more as a means to escalate or continue an attack than to gain initial entry to the network. COMPROMISED ASSETS If an organization were to take an asset-centric approach to information security, Figure 3 provides an excellent starting point for prioritizing efforts. Over half the breaches involved ATMs, which is in line with findings presented in the Threat Actions section. Focusing on issues such as ATM placement and regular monitoring may help reduce tampering-related incidents. Focusing on issues such as ATM placement and regular monitoring may help reduce tampering-related incidents. 4

Figure 3. Compromised assets by percent of breaches in the Finance and Insurance industry* Type Automated Teller Machine (ATM) Category User devices 56% Database server Servers 2 Web/application server Desktop/Workstation Regular employee/end-user Physical security system (e.g., badge reader) Unknown Servers User devices People Servers Unknown 13% 10% 7% 5% 4% Call Center Staff Customer (B2C) Documents People People Offline Data *Assets involved in less than of breaches are not shown Next on the list we find databases and web servers; together they were targeted in about one quarter of all breaches. This provides further evidence that concentrating on SQL injection and other application-based threats could help reduce incidents in the Financial sector. The combination of people and the devices they use (i.e., desktops/workstations) come into play here as well. We haven t focused a great deal here on social attacks, but methods of influencing people to share information or perform some action (e.g., install malware) were leveraged in roughly one out of every 10 breaches. Well-designed awareness training that includes end users may yield a reduction in those incidents. TIMELINE OF EVENTS Response time is a good indicator of the maturity of an organization s security program. No one wants to be the victim of a breach, but should that happen, it s certainly better to know sooner rather than later to limit exposure and initiate proper corrective measures. Among the major phases we consider in an event scenario are: Initial Attack to Initial Compromise. The time spanning from the first malicious action taken against the victim until an information asset is negatively affected. Initial Compromise to Discovery. The time spanning from when the first asset is negatively affected until the victim learns of the incident. Discovery to Containment/Restoration. The time spanning from when the victim learns of the incident until data is no longer actively exposed. For a more complete accounting of incident scenario phases, please refer to the DBIR. 5

Figure 4. Timespan of events by percent of breaches in the Finance and Insurance industry Seconds Minutes Hours Days Weeks Months Years Initial Attack to Initial Compromise 34% 17% 13% 22% 8% 5% Initial Compromise to Discovery 4% 33% 25% 24% 12% Discovery to Containment/Restoration 0% 17% 32% 24% 26% 0% While at first it may seem shocking that one-third of attacks are successful within seconds, it is equally alarming that roughly one-third require days or more to achieve this. That assailants poke around that long before they succeed is a testimony to both the better-than-average security posture of many financial institutions and their status as a high-value target. Plus, these results need to be viewed in light of the methods used to gain initial access; a deft criminal can install a skimmer on an ATM in under a minute, and SQL injection can yield a database dump in nothing flat. While it may seem shocking that one-third of attacks are successful within seconds, it is equally alarming that roughly one-third require days or more to achieve this. On average, Financial Service victims discovered breaches a bit more quickly than those in other industries, but they also had the highest percentage remaining undiscovered for years. Bigger budgets for detection technologies and staff no doubt help post lower numbers in this area (we won t go so far as to call them good numbers). Likely related to this, financial organizations also have a higher tendency to detect breaches on their own rather than always being notified by external parties. Another interesting takeaway from Figure 4 is the faster-than-normal containment time. While this likely has something to do with the ease of responding to ATM tampering (i.e., ripping off the skimmer), it is also a reflection of formal IR policies and procedures. Of course, with half of all victims falling in the weeks-months range, there is still plenty of room for improvement. 6

RECOMMENDATIONS FOR FINANCE AND INSURANCE Because our dataset and, therefore our findings, evolve over time and encompass victims of different types, sizes, and geographic locations, creating a list of solid recommendations that work for all organizations is extremely difficult. Our basic advice is to adopt a common sense, evidence-based approach to managing security. Learn what threats and failures most commonly affect organizations like yours, and then make sure your security posture puts you in a position to thwart them. Learn what threats and failures most commonly affect organizations like yours, and then make sure your security posture puts you in a position to thwart them. Over half the breaches we analyzed in the Finance and Insurance industry involved ATM tampering. Keyloggers and stolen credentials factored into the largest number of attacks outside the physical realm. A quarter of incidents involved some combination of a web-based application and/or the database server directly. Finally, we saw social engineering leveraged to trick an employee into divulging information or performing some action in about one of every 10 incidents. Together these represent four common scenarios leading to the theft of information from financial organizations in our dataset. We offer a few pointed recommendations for these below. ATM Skimming Choose the physical placement of ATM machines carefully, accounting for the likelihood of tampering. Train employees and customers to look for signs of tampering and fraud; such awareness campaigns have been around in certain areas for some time, but ATM tampering/fraud remains a concern. Organizations operating such devices should consider examining them regularly. Additionally, empower customers to help protect themselves as well as aiding the organization in spotting potential issues. Stolen Credentials Keeping credential-capturing malware off systems is priority number one. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting (consider blocking large address blocks/regions if they have no legitimate business purpose), and restricted administrative connections (i.e., only from specific internal sources). Introducing a last logon banner and training users to report/change passwords upon suspicion of theft also have promise. Secure Development Focus on application testing and code review: while SQL injection attacks are the most common, cross-site scripting, authentication bypass, and exploitation of session variables contributed to many of the network-based attacks. As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to the breaches we ve analyzed. Next, include regular reviews of architecture, privileges, and source code. Incorporating a Security Development Life-Cycle (SDLC) approach for application development is recommended as well. Finally, help your developers learn to appreciate and write more secure code. Training and Awareness Increase awareness of social engineering: educate employees about the different methods used and the vectors from which these attacks could arise. In many of our cases, we see where users click on links they shouldn t and open attachments received from unidentified persons. Reward users for reporting suspicious people, interactions, e-mail, or websites and create the incentives necessary for vigilance. 7

To learn more about the findings in this report and our finance-centric security solutions, contact your account manager or visit verizon.com/enterprise/finance. 8

DATA BREACH INVESTIGATIONS REPORT A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-crime Unit, and United States Secret Service.

verizon.com/enterprise 2012 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. MC15435 10/12.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information