Data Breach Trends: How to Avoid a Hack
Chris Novak, Verizon Business: Monitoring, Incident Response are KeyIn an exclusive interview, Novak shares insight on:
Novak has more than 10 years of experience investigating both criminal and civil data breaches. He has led dozens of tactical response cases over the past 18 months, and continues to respond to high-profile cases on a global scale.
LINDA MCGLASSON: Chris, we're familiar with your 2009 Breach Report, but wanted to revisit and ask, 'What's the worst news about today's threat horizon?'
NOVAK: Obviously, the threat continues to evolve just like anything else in the security world; you always have this kind of cat and mouse game going on. So, I think it is important for everyone to remain vigilant from a security standpoint, but also to understand that no matter what it is that you do from a security standpoint, there is always the possibility that there is a newer, latest and greatest threat that has the ability to surprise tomorrow. We need to make sure that we keep our guard up. We hear about these large data breach incidents, and I know I hear a lot and people say 'Well, that's got to be the biggest; that's got to be the worst ever. From here on out it's just got to be easy.' We've all learned from these mistakes, and unfortunately what we really see is that some people learn from the mistakes, but there are still a number of people out there that have the mentality of 'This will never happen to me; I don't really have to worry about it. I'm not the biggest, I don't have the brand that the other company had,' and so therefore they are not really taking security as seriously as they probably should.
LINDA: What are some of the new threats that were seen in 2009?
NOVAK: I think the biggest thing is the evolution of malware. We are seeing that the malware is getting more advanced, and the hackers -- particularly the organized crime groups -- they actually have development teams. They are working behind the scenes from a hacking standpoint to develop malware for use in these environments that they are targeting, and some of the malware is purposely built just for one specific victim environment, and the hackers have the capability to do that. I think a lot of people are probably still in kind of former mode of thinking 'There's only a handful of different flavors of malware, and as long as I have got up-to-date antivirus I'm probably safe.' But in reality what we are finding is that malware is evolving quite substantially, and there are a lot of kind of new and interesting capabilities that they are adding to the malware that you know is scary to some, but the key piece if really making sure that you stay up on the latest and greatest threat information to know what you need to do protect yourself.
LINDA: Lessons learned from some of the most notorious recent data breaches, including those of a payment processor?
NOVAK: I would say probably the biggest things that come out of a lot of the recent big data breaches are really the event monitoring and log analysis. That's one of the things that we call out in the data brief report quite substantially, as well as you know, about 82% of cases that we investigate -- all of the information that the organization needed to be able to detect and understand what was happening in their environment was right there in their logs. And we can go through their logs and we can point to 'This is when the hacker got in, this is when they were moving around in your environment, this is when they got your admin credentials, this is how they got from one system to the next, how they propagated into or escalated the attack, when they got the data, how much data they got ...' All of this is essentially happening right there on their systems, and it's in their logs, but yet a lot of these organizations do not have the capacity to actually either understand what their logs mean, or they are just so resource constrained that they just don't have the people on board that can monitor them a regular fashion. So, in some cases, yes, they review their logs, but it may be three months in arrears, and in a data breach world it doesn't take long to move out quite substantially sized large records.
LINDA: So, just on log monitoring what would you offer to organizations to start doing it more effectively?
NOVAK: I think it's a combination of people, processes and technology. I think that there are a lot of organizations out there that tend to think maybe the vendor community is somewhat to blame. They tend to think 'Well, if I'm buying this piece of technology ... the system that I plug in, turn on, the lights blink, and it will tell me when there is something wrong with my environment.' And the problem with a lot of that is, like most technology, it is pre-configured to understand certain things and detect certain threats, but for the most part it is based on what's been programmed into and how it has been configured. What does it know in terms of how to detect the threat? And then what does it know in terms to how work on that threat? And what we see commonly is people just basically turn these technologies on and let them run, and some of them work really well. Some of them are years old, and yet they'll detect the hack that took place in 1985. But you know what? They are not detecting the hacks that could take place in 2009. In a lot of cases, you need a backup to technology of those appliances with people resources that can look at it and kind of do sanity check on it and say 'You know what, this doesn't look right. Someone logged into their bank account 7000 times today, and that is probably a problem.' Sometimes the technology picks up things like that, and sometimes it doesn't.
A lot of times we see scenarios where the bank will say 'Yeah, well they authenticated properly every time, so it's got to be them.' Well, okay; can you point me to a customer that legitimately logged in 7000 times in a day? The large majority of the time, that is some type of fraudulent activity.
LINDA: Chris your worst scenarios: What are the breaches that haven't happened yet or we don't know about yet?
NOVAK: Oh that's a good question. I think probably one component would be something that would impact kind of a critical infrastructure piece. Right now a lot of what we see are scenarios that hit upon individual entities. And while it can be substantially damaging for that individual entity, it tends to be contained to one entity or its customers. If there was something that were able to impact a larger, broader group of, say, financial institutions -- some backbone component of how they work together or collaborate -- that could have a much more devastating effect than I think what we're normally seeing right now. And obviously I don't wish that to happen. That would be a pretty significant worst case scenario. And I know that obviously we work very closely with folks in government and law enforcement to try and protect against things like that, but I think that's in the back of everyone's mind.
LINDA: In terms of card data, what is the next most popular data that these hackers are looking for?
NOVAK: If you just take card data and slice it up into two components, you have credit card data in one bucket, and they typically have debit card data or ATM Data in another bucket. The credit card data right now is the data that seems to be getting hammered the most. The debit card data, however, is something that is increasingly more interesting to the hacker community than ever before. Because in the credit card world typically the way a fraud is worked is you steal the data, you sell the data, someone makes fraudulent cards, and then has to a go to a retailer, an online merchant, buy some goods, and then sell that somewhere to eventually get the cash. It's a long process, and some of the risks are getting caught each way along that process. In the debit card and the ATM world, what we are seeing is, 'Well, if we can get that debit or ATM card data we can go up to an ATM machine.' Never have to interact with a person, and withdraw hundreds or thousands of dollars at a time. The risk of getting caught is 'Did the ATM machine have a camera, or is there a camera nearby?' That is typically the biggest risk. So that's where one concern would be.
LINDA: Going back to the ATM scenario, that sounds vaguely familiar to what happened with the RBS WorldPay. I know you don't like to name names, but that's pretty much a publicly known breach.
NOVAK: Sure. That is a pretty publicly known breach, and as you mention, we don't go into specifics on any one particular incident, but there have been a number of incidents in probably just the last year that have involved ATM or debit card data and the compromise of PINs. That is a very unfortunate thing because the infrastructure in place that handles these transactions is in some cases much more sophisticated and mature than that of credit-based transactions, but we are seeing now that there are breakdowns in that process -- that some of the organizations that handle the financial data, whether it be the merchants who accept the transaction or someone along the line on the banking side, are not necessarily doing everything that needs to happen in order to secure that data.
LINDA: Advice for financial institutions and other businesses out there to prepare for that future hacker attack.
NOVAK: Sure, I think that there are a couple of key things. One being, making sure that you are monitoring. Because like I said, the data can be moved out of an environment so quickly. A lot of people don't realize that some of the biggest breaches that we've ever investigated took place in 24-to-48 hours. That's all the hacker needed, depending on how organized they were. So monitor to be able to get on top of it; don't think 'Well, we can wait, we can monitor a little later, and we'll catch it then.' It may be too late. Have an appropriate incident response plan in place so that if you detect something you have a mechanism to control it and isolate it. Because one of the biggest challenges we see a lot of organization face now is they may have an incident response plan, but it's not well-written, or it assumes that if it is an IT related breach, IT will own responsibility ... but then legal has a different view and says 'Well, you know what this is a big legal issue for us. There are a lot of liabilities, regulations, legal owns the process.' And so you end up having a lot of fighting within the organization; meanwhile, the breach is still going on. So, having a proper agent response plan and testing it is key, and then doing the monitoring so that if something happens you can identify and act accordingly.