Watching a Main Street data breach happen

There’s a saying in the world of cyber security, “it’s not if, but when,” your company will be attacked, said Timothy Francis, enterprise lead for cyber insurance at Travelers during a recent industry briefing presented by the insurance carrier.

The implication is that every firm’s computer records will be exposed to bad players. But Francis told listeners that there’s more to this challenge.

“If you know how and why, you can act against those events taking place,” said Francis. “And if something takes place, you can take steps to mitigate the effects.”

At the briefing, Travelers brought together a panel of experts to present a simulated hack, and to discuss how to spot vulnerabilities and how to counter the results of a breach. (The first part of this report discussed the major impact that breaches can have on Main Street businesses and reported findings from the 2015 Travelers Business Risk Index. See “When data breaches hit Main Street.”) 

Understanding hackers’ mindset and methods

Some hackers are sophisticated and may be part of organized crime organizations, while some are relatively unsophisticated opportunists. What organizations they target will depend on their motivations—political, financial, or otherwise, according to Chris Hauser, second vice-president, Travelers Investigative Services. However, one common point is that they typically seek the path of least resistance.

“Hackers want an easy way in, and they want to go in, get what they want, and get out,” said Hauser. Many hacks occur on open source software, programs made available free or at nominal cost, and available to the public.

“These are the snippets that make up the foundation of our internet,” says Hauser. One of the things that hackers look for are errors made in programmers’ use of software to set up websites.

One of the most common types of hacks is the SQL injection attack. SQL stands for Structured Query Language, coding used in database applications like content management systems. An SQL attack is an attempt to inject malicious code into a field intended for data entry. If the user has failed to properly filter an input field, such as a place to put in a name or a password, that field can be used to feed invasive code into the site. This can enable the hacker to obtain customer data collected by the site.

“Computer attacks are not magic,” said Hauser. “They take advantage of vulnerabilities.”

Anatomy of a breach

Experts walked the audience through a hack on a closed-system version of a website run by a hypothetical furniture company that permitted online payments for orders. The website was set up using Drupal, a commonly used content management system program that is based on open source code. Drupal is maintained and developed by a software community of over 1 million users and developers.

As demonstrated at the briefing, the site developer had not filtered the field for the customer password—limiting the type of input it would accept—enabling the “hackers” demonstrating the technique to easily enter instructions that would be executed, rather than data. (Hauser pointed out that Drupal was patched last year to cure the vulnerability that the briefing was demonstrating. However, he said it is estimated that 97% of data breaches arise through SQL injection.)

Ironically, sites may be advertising vulnerability to hackers casing their home pages. Statements at the bottom of a page indicating that the site is “powered by” this or that program can alert a hacker to software that they know how to exploit, according to Hauser. That, and the ability to input payment information, represent two attractions to hackers.

In the demonstration, Hauser and his “accomplice,” Kurt Oestreicher, digital forensics specialist with Travelers Investigative Services, used a penetration testing toolkit. This is used by network administrators to test their sites, but can also be used by hackers. This and several other packages  helped identify a vulnerability. The hackers quickly opened the site and, had the pair been real crooks, they could have dumped real customer data.

The pair also took over the site, and sent a ransom demand to its rightful operator. In the meantime, they had obtained the ability to revamp the site. In this case, they posted the ransom demand, so that any visitor could see it.

“That sends a message to the public that the site has been ‘pwned’,” said Hauser. (That word is pronounced “owned”; the spelling is part of hacker lore.)

The process took just ten minutes. Travelers’ Tim Francis noted that if the pair hadn’t been narrating their attack, the infiltration would have occurred even faster.

“This was the point and click version of computer hacking,” said Hauser, with much of the process being automated with tools that criminals can easily lay hands on.

“Of all the cases in the media over the last few years, the great majority of them involve that actual kind of exploitation,” said Mark Greisiger, president of cyber risk consultancy NetDiligence. “The SQL database is so common to business, bad guys are constantly taking advantage of it. I can remember talking to Lloyd’s of London 14 years ago and this kind of exploit was happening back then. It’s not going away, for a variety of reasons.”

Vulnerabilities without hacking

Not every data breach is the result of hacking from a remote “attack server” into a victim company’s web server. Sometimes simple employee carelessness and lack of corporate preparedness can wreak havoc.

Lost or stolen laptops represent a major risk. Greisiger said that many incidents arise because company-issued or –authorized machines have not been equipped with even rudimentary security features. Such precautions, and employee security education, are critical, said Greisiger.

A looming vulnerability concerns data that may have been improperly gathered by a company or its employee. Should such information be collected and then stolen—especially if it clearly violates the company’s stated privacy policy—businesses face potential class-action suits, said Greisiger.

Ultimately, no matter how many vendors a company may use, the privacy duty resides with them if they took information, appropriately or otherwise, from customers, Greisiger said. “The law will say, ‘They trusted you with it. Then it’s on you’.”

Four defenses, and where they can flop

The hacking demonstration was followed by a discussion of four common weak spots in data security management where even potentially helpful practices might not provide adequate protection.

Intrusion Detection Software (IDS): “This is an early detection system. It says a bad guy is trying to get into your system—or has,” said Greisiger. However, he said, such systems are notorious for false positives—in the range of 70% of alerts can be false.

“It can drive IT guys batty and they often ignore their own alerts,” warned Greisiger.

These system can backfire legally, too. Greisiger said that many times victim companies hear about breaches from other parties who detect frauds, such as a bank or one of the card companies. However, notice of being part of a larger pattern may come long after the break-in.

As a result, a plaintiff’s attorney may be able to play an ignored alert against a company.

Encryption of private data: “Encryption” covers a lot of ground. But a good practice that only about one in ten firms use is encryption of “data at rest”—customer and other data in systems storage that is often hackers’ prime target.

Patch management: “All systems need daily care and maintenance to keep the bad guys out,” said Greisiger. “You need patches on every system on almost a daily or weekly basis to keep the bad guys out. What the bad guys are taking advantage of is that most organizations don’t have the manpower to install patches in a quick, timely manner.”

Vendor mis-management: “One in three claims that we see had some third-party vendor involved,” Greisiger said.

Greisiger said many vendors outsource to the cloud or to other parties and have their own data mishaps. They may not notify their customers in a timely way.

“Or they may not tell them at all,” said Greisiger.

The cloud adds complications to the challenge.

“Clouds outsource to other clouds and so it can be really difficult to see where your data really resides,” said Greisiger.

Is there legal risk in the cloud?

TV stations once ran ads to the effect, “It’s 10 o’clock: Do you know where your children are?” Business executives might now be asked: Do you know where your data is?”

The panel was asked how a company could control where its data goes once the decision is made to work in the cloud.

“If you want to spend the money, someone will let you have your own private cloud,” said Greisiger. “What we hear when we are investigating a cloud breach, is that they can’t let our forensics people in, because other people’s data is mixed in.”

Clouds can make financial sense to use, he said, but security concerns dictate the need for explicit talk with vendors. Using a cloud vendor might even be more secure, if the vendor is better staffed to provide more frequent patch management than the client company is capable of providing.

Panelists made additional suggestions to limit issues. One solution was to encrypt all data that is stored in the cloud, such that even if there is an infiltration, that data will have an additional level of protection. For this to work, the client, not the cloud, would have to control the encryption key.

At the same time, the experts warned that any data stored in the cloud remains the responsibility of the company putting it there.

Facing the challenge

In spite of what the IT department and vendors tell management, panelists insisted that no data and network security setup is 100% secure. Even very large companies with lots of experts and multiple layers of security can’t insulate themselves from the risks completely. Main Street firms can face higher odds of infiltration.

And what’s best practice and what’s going on in the real world are two different things, according to John Mullen, partner at Lewis Brisbois Bisgaard & Smith LLP Attorneys. Mullen, whose firm often works as “data breach coach” for stricken firms, said it’s still not unusual to see critical information like a password on a sticky note on a laptop.

Communication with vendors is key. Experts made the point that timely notice of breaches and related issues can be critical because it may impact reporting requirements for companies that have cyber security coverage.

Traveler’s Tim Francis says the conversation has shifted from awareness of the risk to talking about ways to mitigate risk, including cyber insurance.

In that regard, the market is moving. John Mullen said that in his frequent conversations with business insurance brokers, he has found that about one out of ten firms that should have cyber insurance buy it.

“But that’s up from only 1% five years ago,” Mullen said. “So it is increasing.” He said that raised awareness among headline cases like Target have smaller companies.