Nonpayment data gaining as breach objective

While payment card data continued to top the list of the types of data compromised, a report by Trustwave notes that 45% of data thefts in 2013 involved confidential, nonpayment card data—a 33% increase from 2012.

Nonpayment card data includes other sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records.

E-commerce breaches were the most rampant, making up 54% of assets targeted. Point-of-sale breaches accounted for 33% of Trustwave’s 2013 investigations and data centers made up 10%. Trustwave expects POS and e-commerce compromises to dominate into 2014 and beyond.

Trustwave gathered the data from 691 breach investigations (a 54 percent increase from 2012) across 24 countries in addition to proprietary threat intelligence gleaned from the company's five global Security Operations Centers, telemetry from security technologies and ongoing threat research.

When ranking the Top 10 victim locations, the report reveals the United States overwhelmingly houses the most victims at 59%, which was more than four times as many as the next closest victim location, the United Kingdom, at 14%. Australia was ranked third, at 11%, followed by Hong Kong and India, both at 2%. Canada was ranked sixth at 1%, tied with New Zealand, Ireland, Belgium, and Mauritius.

Similar to 2012, retail once again was the top industry compromised, making up 35% of the breaches Trustwave investigated in 2013. Food and beverage ranked second at 18, and hospitality ranked third at 11.

Criminals continued to use malware as one of the top methods for getting inside and extracting data. The top three malware-hosting countries in 2013 were the United States (42), Russia (13%), and Germany (9%).

Criminals relied most on Java applets as a malware delivery method—78% of exploits Trustwave detected took advantage of Java vulnerabilities.

Eighty-five percent of the exploits detected in 2013 were of third party plug-ins, including Java, Adobe Flash, and Acrobat Reader.

Overall spam made up 70% of inbound mail, however malicious spam dropped 5% in 2013. Fifty-nine percent of malicious spam included malicious attachments and 41% included malicious links.

Employees and individual users often inadvertently open the door to criminals by using easily-guessable passwords. Trustwave found weak passwords led to an initial intrusion in 31% of compromises.

In December 2013, security researchers at Trustwave discovered a Pony botnet instance that compromised approximately 2 million accounts for popular websites. When analyzing those compromised credentials, Trustwave found that "123456" topped the list of the most commonly used password, followed by "123456789," "1234", and then "password." Nearly 25% of the usernames had passwords stored for multiple sites.

Ninety-six percent of applications scanned by Trustwave in 2013 harbored one or more serious security vulnerabilities. The finding demonstrates the need for more application security testing during the development, production and active phases.

Trustwave found that self-detection continued to be low with 71% of compromised victims not detecting breaches themselves. However, the data also demonstrates how critical self-detection is improving the timeline to containment and therefore limiting the overall damage. For example, the median number of days it took organizations that self-detected a breach to contain the breach was one day, whereas it took organizations 14 days to contain the breach when it was detected by a third party.

The report also reveals the median number of days from initial intrusion to detection was 87 and the median number of days from detection to containment was seven. Upon discovery of a breach, 67% of victims were able to contain it within 10 days. From 2012 to 2013, there was a decrease in the amount of time an organization took to contain a breach. In half of the compromises investigated by Trustwave, the victim contained the breach within four months of the initial intrusion.

"Security is a process that involves foresight, manpower, advanced skillsets, threat intelligence, and technologies. If businesses are not fully equipped with all of these components, they are only increasing their chances of being the next data breach victim," says Robert McCullen, chairman and CEO at Trustwave. "As we have seen in our investigations, breaches are going to happen. However, the more information businesses can arm themselves with regarding who are their potential attackers, what those criminals are after, and how their team will identify, react, and remediate a breach if it does occur, is key to protecting their data, users and overall business."

The 2014 Trustwave Global Security Report recommends businesses implement the following action plan:

• Protect users from themselves: Educate employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing. Invest in gateway security technologies as a fallback to automate protection from threats such as zero-day vulnerabilities, targeted malware, and malicious email.
• Annihilate weak passwords: Implement and enforce strong authentication policies. Thirty percent of the time, an attacker gains access because of a weak password. Strong passwords—consisting of a minimum of seven characters and a combination of upper and lower case letters, symbols, and numbers—play a vital role in helping prevent a breach. Even better are passphrases that include eight to ten words that make up a sentence that only the user knows. Businesses should also deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user's mobile phone.
• Protect the rest: Secure all of your data, and don't lull yourself into a false sense of security just because you think your payment card data is protected. Assess your entire set of assets-from endpoint to network to application to database. Any vulnerability in any asset could lead to the exposure of data. Combine ongoing testing and scanning of these assets to identify and fix flaws before an attacker can take advantage of them.
• Model the threat: Model the threat and test your systems' resilience to it with penetration testing. Pitting a security expert against your network hosts, applications and databases applies a real-world attacker's perspective to your systems (a threat model). A penetration test transcends merely identifying vulnerabilities by demonstrating how an attacker can take advantage of them and expose data.
• Plan your response: Develop, institute, and rehearse an incident response plan. Identify what sorts of events or indicators of compromise will trigger your incident response plan. A plan will help make your organization aware of a compromise sooner, limit its repercussions and shorten its duration.

[Note: ABA’s Corporation for American Banking endorses Trustwave for its network security and data protection resources. Get more information at http://www.bankingexchange.com/old//Products/Endorsed/Pages/network-security.aspx.]