With 2012 coming to a close, I decided to take a look back at some of the year’s more significant hacks. Two of the largest heists involved thefts of millions of records of personal data. In March, Global Payments, a credit card processor, revealed a breach in which at least 1.5 million credit card numbers were exported. And the year began when hackers targeted Zappos, the online shoe retailer, and relieved this e-tailer of over 24 million rows of email addresses and other data.
Based on these gigantic incidents, I thought this was the year of the Big Hack and a unique turning point. For perspective, I reviewed two years’ worth of Verizon’s indispensable Data Breach Investigations Reports. The DBIR is based on data collected from the US Secret Service and the Dutch National High Tech Crime Unit. For 2011, Verizon reported over 855 incidents and 174 million records compromised. Last year was the second highest data loss recorded since Verizon began this study in 2004.
I’m not sure if 2012 hacking levels will surpass 2011, and neither of these two years will come close to the 360 million records compromised in 2008. However, there are other trends that seem to have remained relatively constant.
In recent years, the top three industry sectors breached have been hospitality (read: restaurants), retail, and financial services. No surprises here.
Another common theme in the report is that poor authorization monitoring and procedures often broaden the damage done by attackers. Verizon suggests that companies should constantly be on the lookout for new files, especially growing archive and log files, with unusual attribute settings. These often indicate an attack in progress.
The DBIR also tells us that straightforward hacking—using default passwords, stolen login credentials, or backdoor attacks—is still a very effective way to extract protected data.
One revealing stat is that most of the records hacked in the last few years have not involved credit card numbers. The winner in the most-hacked-data category instead goes to plain old PII—name, address, and social security number.
So how do Global Payments and Zappos match up with the overall trends? Depressingly, these two incidents fit it like a glove. Financial or retail? Check. External attack? Yes. Straightforward hack? It seems so, and no malware was involved that we know about.
For both Global Payments and Zappos, the actual exploits used are still a little fuzzy. According to Gartner Research’s Avivah Litan, the Global Payments attacker may have been able to get through the company’s knowledge-based authentication layer by answering questions correctly. This is still just speculation. Here’s what we do know: Global Payments was PCI-DSS compliant. Visa and Mastercard have since revoked their certification.
Zappos, which is also PCI-DSS compliant, kept their credit card numbers encrypted and separated from other personal information. Hackers were not able to access the “PANs”—PCI lingo for the card numbers. Zappos has kept their certification.
The most eye-opening part of Verizon’s DBIR can be found in their conclusions. Not to put too fine a point on this, but companies are simply not making the attackers work very hard. It’s not that they are so clever; it’s that IT has been a bit lax.
Here’s some of their all-too-familiar advice:
- change default credentials
- review user accounts on a regular basis
- restrict and monitor privileged users
On that last point, I’ll quote the actual text from the DBIR:
“Don’t give users more privileges than they need (this is a biggie) and use separation of duties. Make sure they have direction (they know policies and expectations) and supervision (to make sure they adhere to them). Privileged use should be logged and generate messages to management.”
Speaking as a Varonis blogger, I couldn’t have said it better.
Let’s hope some of this advice takes hold, and 2013 will be a more forgettable year in hacking annals.