In 2012, average time from breach to detection is 210 days!

During 2012, nearly every industry, country and type of data was involved in a breach of some kind, reports Trustwave, data security & PCI compliance firm, in its recently released Global security report 2013.

The findings are interesting, though not unexpected. Some of the key findings are below:

Web applications have now emerged as the most popular attack vector. As organizations embrace mobility, mobile malware continues to be a problem for Android, with the number of samples in Trustwave’s collection growing 400% in 2012.

Businesses are embracing an outsourced IT operations model. In 63% of incident response investigations, a major component of IT support was outsourced to a third party. Outsourcing can help businesses gain effective, cost-friendly IT services; however, businesses need to understand the risk their vendors may introduce and proactively work to decrease that risk.

Businesses are slow to “self-detect” breach activity. The average time from initial breach to detection was 210 days, more than 35 days longer than in 2011. Most victim organizations (64%) took over 90 days to detect the intrusion, while 5% took three or more years to identify the criminal activity.

Spam volume declines, but impact on the business doesn’t. Spam volume shrank in 2012 to a level lower than it was in 2007 but spam still represents 75.2% of a typical organization’s inbound email. Most importantly, new malware research conducted by Trustwave found nearly 10% of spam messages to be malicious.

And finally, as expected, basic security measures are still not in place.  “Password1” is still the most common password used by global businesses. Of three million user passwords analyzed, 50% of users are using the bare minimum.

Trustwave recommends six security pursuits to address the issues. (Picture) Cyber criminals will never stop trying to compromise systems to obtain data. Organizations need to be aware of  where they may be open to attacks, how attackers can enter their environment and what to do if (and when) an attack occurs.

Attacks on US Financial Institutions Continue

A group claiming responsibility for a recent distributed denial-of-service (DDoS) attack against the American Express website is the same one that has been targeting US financial institutions since September 2012. While the primary focus of the group’s efforts appears to be crippling the banks’ websites, there is concern

that the attacks could provide a cover for fraudulent transactions.

On March 28, American Express’ website went offline for at least two hours during a distributed denial of service attack. A group calling itself “the cyber-fighters of Izz ad-Din al-Qassam” claimed responsibility for the attack, which began at about 3:00pm Eastern Time. In a statement, an American Express spokesperson said, “Our site experienced a distributed-denial-of-service (DDoS) attack for about two hours on Thursday afternoon…”

The American Express DDoS is part of a new wave of attacks started two weeks ago by the Izz ad-Din al-Qassam group, which launched a larger campaign targeting US financial institutions that began last September. The group’s alleged goal is to force the take-down of an offensive YouTube video—or extract an ongoing price from American banks as long as the video stays up, which could be indefinitely.

Ars Technica reports that these attacks are also part of a larger trend of disruptive and destructive attacks on financial institutions by apparently politically motivated groups, the most damaging of which was the attack on South Korean banks and other companies last week.

Band of the Hand

Named after a Muslim cleric who led The Black Hand, an anti-British and anti-Zionist jihadist organization in the 1920s and 1930s, and sharing a name with the military wing of Hamas (which the group’s statements claim it is tied to), Izz ad-Din al-Qassam has taken credit for a variety of attacks on US financial institutions over the past year, all allegedly in protest against the posting of trailers for the film The Innocence of Muslims on YouTube. Until the film is removed, the group said it would target “properties of American-Zionist Capitalists…This attack will continue till the Erasing of that nasty movie.”

So far, there have been three distinct phases of the group’s attacks. Dan Holden, director of Arbor Networks’ Security Engineering & Response Team, told Ars in a phone interview that the previous two waves lasted between three and four weeks, with the group then taking a break—likely to do the work required to maintain their botnet of compromised servers and add to it as their existing bots are discovered and disabled.

A well-funded attack

Still, Holden said that it’s unlikely that criminals are “coat-tailing” on the Izz ad-Din al-Qassam group’s attacks just yet. But even if the group behind the attacks isn’t profiting from them, Holden said it’s clear that there are very real investments being made in their activities—maybe not in servers or hard assets, but in the form of countless hours of maintenance of the botnet by finding new servers to exploit, and further development of attacks.

“Regardless of who’s behind this,” Holden said, “it has to be funded at some level. Even if it’s hacktivists, it’s got to be funded hacktivism.” That, he says, is because of both the amount of time dedicated to the attack, and to its ongoing refinement. “It’s not that these are the most sophisticated things in the world,” he explained, “but it has been getting more sophisticated, and it’s growing.”

Simple lesson, we have not learned!!

Why these financial institutions have not invested enough money in security? Why not build a BIGGER firewall? Security preparedness is always relative and not absolute. Else, you need to wait till the adversary stops the attacks !!

US-CERT on South Korean Malware Attack

us certReporting and technical details surrounding the malware used in the March 20, 2013, attack on South Korean assets have been varied and inconsistent. US Cert released a paper outlining the attack’s common attributes, giving guidance to U.S. Critical Infrastructure and Key Resource owners and operators, and listings defensive measures against the DarkSeoul malware.

The common attributes of the attack campaign are the following:

  • The malicious file wipes the master boot record (MBR) and other files.
  • The malware was hard coded with a specific execution date and time and searches machines for credentials with administrative/root access to servers.
  • The malware is written to specifically target South Korean victims.
  • The attack is effective on multiple operating systems.
  • The design is low sophistication – high damage.

Defensive Measures

US‐CERT reminds users and administrators of the importance of best practices to strengthen the security posture of their organization’s systems. The measures include regular and periodic backups, testing backups, having emergency communication plans, patching, monitoring cols and so on.
The simple golden rule is to follow the best practices and create user awareness.