2011 Trustwave Global Security Report: Things I Think
As is my wont, I will be highlighting a few points that I found especially comment-worthy from a security report. Today I’m reviewing the 2011 Trustwave Global Security Report. These may or may not be the highlights of the report, but they seemed worth my attention, and hopefully worth yours as well.
- More PCI theft came from point of sale (POS) systems than from online shopping. Isn’t this exactly the opposite of what most of us assume? When I enter my credit card information into a website I’m much more diligent about looking for potential security issues and doing research. When I walk into a store that accepts credit cards I usually just take it on faith that they’re protecting my data. Apparently I’ve got things backwards.
- The majority of ATM breaches weren’t caused by add-on hardware; but by installed malware or a physically connected USB drive. This is another scary fact. I’ve always felt pretty confident that by visually and physically inspecting an ATM I would be able to detect if it had been compromised. You know, look around for cameras, and see if there’s a skimmer on it. But now we need to worry that the compromise is completely invisible to us as the customer. The best thing we can do here is to avoid using third-party ATMs at gas stations and convenience stores, and use ATMs that are installed directly into the side of a bank. They are much harder to physically alter and more likely to be noticed quickly if it is.
- 88% of breaches were performed on systems that were being managed by a third party. How does that make you feel about your out-sourcing strategy? I’ll tell you how it makes me feel… ‘Yuck.’ We bring in these third party vendors because we trust that they have all the experience and knowledge with a given security product. And that’s probably true. But they are missing a critical piece; the experience with and knowledge of our systems. No technology solution is complete and ideal for every environment out of the box. It needs to be tweaked and altered to fit each company and, just as importantly, they need to be consistently maintained and updated. When we work with third party vendors we suffer from issues in both of these areas… we don’t initially provide them the time and resources to get to know our environment fully, and then we don’t continue the engagement for long enough, or with a thorough enough definition around the level of on-going maintenance we expect. This doesn’t mean that we need to bring all services in-house, but we do need to understand these risks and continually keep them top of mind to ensure we properly address them.
- 55% of breaches were accomplished using a remote access protocol. You know all those helpful utilities that allow us to manage our servers without having to sit right in front of the console? Those tools of convenience not only provide us access to our servers, but are commonly used by our adversaries to get illicit access. We get so comfortable with the assumption that any traffic within the gooey center of our network is safe that we don’t put in the time and thought to ensure that those protocols are secured from eavesdrop and attack. Implementing strong encryption and multi-factor authentication can be used to let us keep these utilities in our tool-belt while taking them away from the bad guys.
- 5. Data-harvesting malware was used in 76% of breaches. Think your antivirus will keep you safe from malware that’s out to steal your company, banking and email credentials? Don’t count on it. Criminals use file-sharing sites, malvertising (advertising on a legitimate site that contains malware), social networking, drive-by-downloads, and other tricky strategies to get their software onto your computer, and then leave it there as long as possible without you noticing. This brave new cyber-world requires smart web-browsing, continual diligence and a bit of luck to get off without catching a virus.
- The vast majority of breached companies were not compliant with PCI requirements. What does this mean? It certainly does not mean that PCI compliance is a magic bullet that can prevent breaches. The flaws in the PCI-DSS are well known and we won’t go into those here. This fact reinforces the well-known trend that a little bit of prevention goes a long way. We security guys will never get rid of all risks, but when we go through the process of identifying our outstanding risks we will not only achieve compliance, but will prevent the vast majority of attacks, including just about all of the unfocused threats that are out there. PCI compliance is a baseline that tells the outside world, “Yeah, we take security seriously.” If you aren’t even doing that, breaches are a lot more likely to occur and have a lot more serious consequences.
Thanks to Trustwave for sharing their experience with the security community. The more we know the better we can become, and the more secure we can make our environments.
Connect with Robb on Google+