This post references the Verizon 2010 Data Breach Investigations Report
Malware
Malware factored into 38% of 2009 cases and 94% of all data lost. Malware is loaded onto the network by various methods that constantly evolve and keep pace with network security. The main goal of malware is to collect sensitive information without being discovered. Once collected, the data is used in many different ways. In many cases, the data is sent out of the network and back to the host computer. In this case, if the company were to have network monitoring software active, they could distinguish between valid/invalid outbound traffic.
Employee Misconduct
Employees play a major role in data leakage. Whether it be for financial gain, to directly harm the company or both it is pertinent that employee network usage is monitored. Simple internet surfing by idle employees could lead to malware being installed on the corporate network. Records of websites visited, with exact reconstruction, is the first step in damage control if a breach occurs.
The Verizon report states "We advocate paying attention to what goes out of your network and what changes take place within your systems." Additionally it states that any periodic, odd sized, trending, or further suspicious outbound activity is grounds for investigation. This can be accomplished with many tools, but often a simple traffic analyzer will not let capture the actual files that are sent out of the Network.
NetSentry Live undetectably monitors network Internet traffic and captures, reconstructs, and stores original content in a searchable database. With its real-time alerts, NetSentry can provide the insight to identify both who and when suspicious or malicious Internet activity happens on your network. Never before has a network monitoring and forensics tool been so powerful and as easy to use as NetSentry. Adding NetSentry Live to your DLP strategy gives your business a best-in-class tool that produces the complete evidence when the leak happens.
Tuesday, October 19, 2010
Guardian Digital Forensics Hires Don Gilman as Vice President
Raleigh, NC – Guardian Digital Forensics, a Raleigh based Digital Forensics Consulting company is pleased to announce the addition of a new member to its NetSentry management team - Vice President of Market Development, Don Gilman. NetSentry is proud to have Gilman on board and is excited to utilize his expertise and experience to expand our market reach.
Gilman brings with him over twenty years of management and leadership experience coupled with a consulting background. He enjoys the art of building relationships and tackling difficult challenges, which is why he has a reputation for developing innovative solutions to business problems.
He has recently served as Ambassador for the North Carolina Technology Association and as VP of Strategy and Director of Service Delivery for the North Carolina Chapter of the Project Management Institute. Additionally he holds the following certifications: Certified Project Manager in Construction, Certified Project Manager in Information Technology, Certified Information Systems Auditor from ISACA, as well as, Certified LEAN Six Sigma Green Belt.
Friday, October 8, 2010
Internal Threats in Data Breaches
This post references the Verizon 2010 Data Breach Investigations Report.
The three origins of data breaches are external, internal and partner agents. The origins are not exclusive and a data breach can have attacks from one or multiple agents. This post will focus the internal threat and include recommendations to help protect against internal attacks. In 2009, the role of insider agents in data breaches doubled compared to 2008 figures. This increase is partly due to an influx of insider cases from the U.S. Secret Service but it also reflects the constant threat from insiders in cases analyzed by Verizon.
Internal agents act with different motives and possess varying levels of intelligence. The similarity that 90% of internal agents share is that they act deliberately. Only 4% of insiders who contribute to a data breach act unintentionally. The other 6% are insiders who carry out inappropriate behavior and because of their actions a breach occurs. The report states that employees who commit data theft have more than likely been cited for network misuse in the past. Should corporations more closely monitor employees that have network misuse infractions? It is a preventative measure that is less costly than having to mitigate a data breach.
51% of internal data breaches come from regular employees, noting personnel that handle cash on a regular basis as main culprits. The finance and accounting staff account for 12% of internal breaches, as they have access to corporate accounts and financial data. Additionally, Systems and network administrators accounted for 12% of breaches. Executives accounted for 7%, Helpdesk staff 4%, Software developers 3%, Auditors 1% and unknown 9%. The access to confidential data, especially without necessity, can lead to data breaches. Unnecessarily high user IT privileges contribute to many of the breaches and should be more closely monitored.
Below are some tips, implied from the report, that will help secure internal networks.
The three origins of data breaches are external, internal and partner agents. The origins are not exclusive and a data breach can have attacks from one or multiple agents. This post will focus the internal threat and include recommendations to help protect against internal attacks. In 2009, the role of insider agents in data breaches doubled compared to 2008 figures. This increase is partly due to an influx of insider cases from the U.S. Secret Service but it also reflects the constant threat from insiders in cases analyzed by Verizon.
Internal agents act with different motives and possess varying levels of intelligence. The similarity that 90% of internal agents share is that they act deliberately. Only 4% of insiders who contribute to a data breach act unintentionally. The other 6% are insiders who carry out inappropriate behavior and because of their actions a breach occurs. The report states that employees who commit data theft have more than likely been cited for network misuse in the past. Should corporations more closely monitor employees that have network misuse infractions? It is a preventative measure that is less costly than having to mitigate a data breach.
51% of internal data breaches come from regular employees, noting personnel that handle cash on a regular basis as main culprits. The finance and accounting staff account for 12% of internal breaches, as they have access to corporate accounts and financial data. Additionally, Systems and network administrators accounted for 12% of breaches. Executives accounted for 7%, Helpdesk staff 4%, Software developers 3%, Auditors 1% and unknown 9%. The access to confidential data, especially without necessity, can lead to data breaches. Unnecessarily high user IT privileges contribute to many of the breaches and should be more closely monitored.
Below are some tips, implied from the report, that will help secure internal networks.
- Use network surveillance software with packet re-construction and forensics analysis capabilities for quick user identification, evidence and prosecution requirements in case of a breach.
- Develop a corporate wide "Breach Plan" including personnel, time frames and budget considerations.
- Distribute internet usage policy with clearly defined rules for all possible infractions.
- Quarterly review of user IT privileges in an attempt to prevent unnecessary access and a possible motivator for data theft.
- Monitoring of all top level users with access to valuable corporate information.
- Monitoring of all employees with certain level of network misuse infraction.
Monday, October 4, 2010
External Threats in Data Breaches
This post references the Verizon 2010 Data Breach Investigations Report.
From 2004-2009, over 87% out of approximately 919 million data records were compromised by external threats. I agree with the authors of the report in stating that this is one of the most powerful statistics in the paper. The harm caused by external threats is clearly the most costly to organizations. The more valuable the information an organization has the more secure its network security has to be, plain and simple. External threats in 2009 comprised 70% of breaches and 98% of records. Internal threats in 2009 comprised 48% of breaches and 3% of records.
The types of external threats and percent of breaches include Organized Crime (24%), Unaffiliated person(s) (21%), external systems (3%), activitst groups (2%), former employees (2%), other organizations (1%), competitor (1%), customer (1%) and unknown (45%). Organized crime is the largest identified threat agent. This is not unusual as organized criminals, located all over the world, have the resources to infiltrate networks and extract valuable data. Geographically, 21% of external breaches orginate from Eastern Europe, including Russia. North America origin accounts for 19% of breaches and East Asia accounts for 18%. Unknown origination accounts for 31% . Interestingly, in 2009 Verizon cases, East Asia rose to the top spot for external breach origination, while a majority of the unknown origination is suspected of coming from East Asia.
The unknown in both external threats and external threats origination is a result of breach victims not seeking out an answer to who or where their attack came from. This is often a purely financial decision or the attacker can not be identified. Most breach cases handled by the US Secret Service have a determined suspect and origination due to prosecution.
What does it all mean? Cyber-crime is not new. The number of external agents with the knowledge to access sensitive corporate data on "secure" networks is not shrinking. The constant battle to develop secure applications as old security is compromised will not end. Corporations need to be vigilant and consistently monitoring network security and procedures to stay ahead of external threats.
From 2004-2009, over 87% out of approximately 919 million data records were compromised by external threats. I agree with the authors of the report in stating that this is one of the most powerful statistics in the paper. The harm caused by external threats is clearly the most costly to organizations. The more valuable the information an organization has the more secure its network security has to be, plain and simple. External threats in 2009 comprised 70% of breaches and 98% of records. Internal threats in 2009 comprised 48% of breaches and 3% of records.
The types of external threats and percent of breaches include Organized Crime (24%), Unaffiliated person(s) (21%), external systems (3%), activitst groups (2%), former employees (2%), other organizations (1%), competitor (1%), customer (1%) and unknown (45%). Organized crime is the largest identified threat agent. This is not unusual as organized criminals, located all over the world, have the resources to infiltrate networks and extract valuable data. Geographically, 21% of external breaches orginate from Eastern Europe, including Russia. North America origin accounts for 19% of breaches and East Asia accounts for 18%. Unknown origination accounts for 31% . Interestingly, in 2009 Verizon cases, East Asia rose to the top spot for external breach origination, while a majority of the unknown origination is suspected of coming from East Asia.
The unknown in both external threats and external threats origination is a result of breach victims not seeking out an answer to who or where their attack came from. This is often a purely financial decision or the attacker can not be identified. Most breach cases handled by the US Secret Service have a determined suspect and origination due to prosecution.
What does it all mean? Cyber-crime is not new. The number of external agents with the knowledge to access sensitive corporate data on "secure" networks is not shrinking. The constant battle to develop secure applications as old security is compromised will not end. Corporations need to be vigilant and consistently monitoring network security and procedures to stay ahead of external threats.
Subscribe to:
Posts (Atom)