Cyberattacks Grow More Complex

By Sherry Harowitz

01 April 2013

Print Issue: April 2013

While many breaches are caused by trusted sources and simple security flaws, it’s also getting harder to stop malware because it’s more cleverly hidden.

While cyberespionage from China and other countries has dominated the news recently, more traditionally motivated hacks by common criminals still make up the bulk of cyberattacks. Cyberthieves attack everything from hotels to small retail franchises in search of data like credit cardholder information they can turn to fast cash.

In the past two years, cyberattacks on businesses have grown significantly more complex, according to the 2013 Trustwave Global Security Report, making prevention and detection harder. Even so, it is also striking that in a good many cases, compromise occurred at least in part because companies failed to take care of the basics—like avoiding weak or default credentials. Half of 3 million user passwords analyzed (not only from breach cases) were the bare minimum.

The findings are based on more than 450 data breach investigations performed by Trustwave SpiderLabs in 19 countries. The United States was by far the most frequent victim (see chart). For some of the conclusions about attacks, Trustwave also analyzed results from 2,500 penetration tests, more than five million malicious Web sites and more than nine million Web site application attacks, and tens of billions of events.

While all corporate data is at risk once a system is breached, thieves tend to go for cardholder data, because it takes less work to monetize. Intellectual property (IP) was the clear target in only 2 percent of the cases in this study. The places thieves go to get such data are most often retail establishments. Three years ago, notes the report, the hospitality industry was a bigger target, but it has made great strides toward strengthening security of data, and the effort appears to have paid off.

New this year was the breach of automated teller machines (ATMs), which occurred in only 1 percent of the cases, but it may presage more to come as the payoff is considerably greater than with other types of cardholder data, the report notes.

IP attacks can be far more devastating as they “could result in years of research and development being stolen and used by a competing company,” says Nicholas Percoco, senior vice president of Trustwave. But most companies don’t face that type of attack because “most of the corporate or nation-state sponsored IP attacks go after the top organizations within particular industries.”

The number one vulnerability that led to a breach was remote access. That’s not surprising, really. As the report notes, many IT service providers—the trusted third parties that have been given remote access—“choose a remote administration utility that remains always on...not the most secure option…. To further facilitate remote administration, providers frequently choose simple, default-like passwords that are then reused at multiple client locations.” That means if one location is compromised, they all are.

These vulnerabilities are compounded when the service provider has a poorly configured firewall and when their systems are not kept up to date with the latest patches.

The access software these providers use is often not properly configured and it is not audited, according to Nathan McNeill, cofounder and chief strategy officer of Bomgar, one of the companies that provides remote service software. Newer remote access software tends to be configured more securely out of the box, he says.

When companies outsource their IT services, they should ask questions about the provider’s practices, says McNeill. At the very least, they should make sure that the company has its personnel use different access passwords for different clients so that if one is compromised, they are not all automatically exposed.

The second most common way that sites are breached is through what is called Structured Query Language (SQL) injection. This begins at the Web site. As the report explains, Web pages today are set up to take user information, which is then transferred to and from back-end databases housing everything from cardholder data to a user’s purchase history. The Web page communicates with the database via SQL queries. "Poor coding practices have allowed the SQL injection attack vector to remain on the threat landscape for more than 15 years. Any application that fails to properly handle user-supplied input is at risk," notes the report. SQL injection is preventable when programmers do their jobs, but in 26 percent of the examined breaches, hackers were able to exploit SQL vulnerabilities.

Once in, hackers can often work their way easily through a company's system to the valuable data they seek. That's not as hard as it should be, because "Internally-facing remote administration utilities are frequently set up even less securely than externally-facing versions," says the report. "Many have abysmally weak username:password combinations—and sometimes require no credentials at all."

Hackers may install malware that will allow them to harvest data. They have become "much more adept at hiding their malware in plain sight, known as malware subterfuge—the use of legitimate process names or injection of malware into legitimate Windows binaries. This means that an attacker’s malware could live on a target system undetected for as long as four years, and all data processed during that timeframe may be compromised," the report states.

The hackers also use more modern options like automated exfiltration mechanisms that send the data they want to another site where they retrieve it. They are able to send data out undetected because the company either lacks a firewall or the firewall lacks egress filters.

One of the most surprising findings was that analysis of the malware revealed that apart from some off-the-shelf script kiddies and targeting of some critical government agencies, most point-of-sale credit card breaches could be traced back to just three primary criminal enterprises, though the third appears to be a distributed network of attackers and tools used by thousands of criminals.

The report is also sobering in that it shows how difficult it is for a company to really prevent infections. As an example, it states, "The use of embedded files not only makes it extremely difficult for security products to detect malicious files but also exploits the functionality of each file format. It's becoming difficult for system administrators to control what can and cannot be executed. Flash Player does not need to be installed for a Flash file to be loaded within a PDF, MP4s can be loaded directly from within Flash Player, and most PDF readers will execute JavaScript code out of the box. Attackers make good use of these facts."

But companies can protect themselves by demanding that third parties follow best practices with strong passwords; they can also make sure that their own security is good, with proper firewall egress filters and other strong internal controls, to decrease the hackers' chances of getting malware in or getting data out—or at the very least to increase the chance of timely detection if hackers do succeed in gaining access.