Cyber criminals target “vulnerable” applications

Yeo: “we rarely see high quality testing”.

Security breaches at major institutions in financial services, healthcare and other industries are going undetected for months at a time and are often caused by basic errors of security, such as weak passwords, vulnerable applications and a lack of interest in security, according to a new report by cybercrime specialist company Trustwave.

The firm’s 2014 Trustwave Global Security Report draws on data from 691 of the company’s own investigations into security breaches in 24 countries. It found that most applications are vulnerable, with 96% of applications scanned by the company harbouring one or more serious security vulnerabilities. “If you have some software, it has a vulnerability,” said Matt Palmer, chairman of the Channel Islands Information Security Forum. “Even if the technology had no apparent vulnerabilities when it was released, five or ten years later it will have vulnerabilities.”

Easily guessable passwords were highlighted in the report as the main cause of the problem.  In 31% of cases, weak passwords were the entry point for cyber criminals. In December 2013, Trustwave discovered a ‘Pony’ botnet that compromised two million accounts for popular websites. Pony is a new type of botnet strategy that involves using a group of infected computers to steal passwords from Facebook, Twitter, LinkedIn, Google and Yahoo.  When checking the compromised credentials, Trustwave found that “123456” topped the list of the most commonly used password followed by “123456789,” “1234” and then “password.” Nearly 25% of the usernames had passwords stored for multiple sites.

“User education is not where it needs to be,” said Palmer. “You can have all the security in the world, but if the user is going to have a bad password, sharing it with wife and kids and using it at home and in the office, it’s not just a workplace issue. It’s a life issue. It’s a wakeup call for governments.”

“In our security penetration tests on 3,000 firms large and small, we found that it’s not just the little ones where these kind of techniques can be used to steal the keys to the kingdom,” added John Yeo, director of Trustwave’s ‘ethical hacking’ team. “We only need one weak spot to get in and escalate our privileges.”

On average, once a firm was compromised it took nearly three months (87 days) for a breach to be detected. When a breach was discovered, 67% of victims were able to contain it within 10 days, but 71% of compromise victims did not detect breaches themselves. Payment card data was the most common target, with e-commerce systems the most common venue for the crime, making up 54% of assets targeted. Point of sale breaches accounted for 33% of investigations and data centres 10%.

Malware remains one of the main methods of extracting data. Criminals relied most on Java applets to deliver the malware – 78% of exploits detected by Trustwave took advantage of Java vulnerabilities. Some 85% of exploits were of third party plug-ins, including Java, Adobe Flash and Acrobat Reader. Overall spam made up 70% of inbound mail, but malicious spam has fallen 5% in the last year. Some 59% of malicious spam included malicious attachments and 41% used malicious links.

The top three malware-hosting countries were the US (42%), Russia, (13%) and Germany (9%). The victims were most commonly located in the US (59%), with the UK following at 14% and Australia third at 11% followed by Hong Kong and India at 2%. Canada was ranked sixth at 1%, tied with New Zealand, Ireland, Belgium and Mauritius.

The main responses that financial institutions and other organisations can take to protect themselves as set out by Trustwave in the report were:

1. Protect users from themselves: Educate employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing. Invest in gateway security technologies as a fallback to automate protection from threats such as zero-day vulnerabilities, targeted malware and malicious email.
2. ‘Annihilate’ weak passwords: Implement and enforce strong authentication policies. Thirty percent of the time, an attacker gains access because of a weak password. Strong passwords—consisting of a minimum of seven characters and a combination of upper and lower case letters, symbols and numbers—play a vital role in helping prevent a breach. Even better are passphrases that include eight to 10 words that make up a sentence that only the user knows. Businesses should also deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user’s mobile phone.
3. Protect the rest: Secure all of your data, and don’t lull yourself into a false sense of security just because you think your payment card data is protected. Assess your entire set of assets—from endpoint to network to application to database. Any vulnerability in any asset could lead to the exposure of data. Combine ongoing testing and scanning of these assets to identify and fix flaws before an attacker can take advantage of them.
4. Model the threat: Model the threat and test your systems’ resilience to it with penetration testing. Pitting a security expert against your network hosts, applications and databases applies a real-world attacker’s perspective to your systems (a threat model). A penetration test transcends merely identifying vulnerabilities by demonstrating how an attacker can take advantage of them and expose data.
5. Plan your response: Develop, institute and rehearse an incident response plan. Identify what sorts of events or indicators of compromise will trigger your incident response plan. A plan will help make your organisation aware of a compromise sooner, limit its repercussions and shorten its duration.

“Part of the problem is that these are low-frequency, high-impact events, and people just don’t tend to plan for that,” said Yeo. “We rarely see high-quality testing. They’ve checked that the system does the basics that it was supposed to, but they haven’t checked to see what’s possible, what its points of weakness are.”