Old news tried to dominate the InfoSec risk environment this week: “DLL planting” vulnerabilities in Windows go back to 2000. Zurich Insurance was fined £2.28 million for a data breach in 2008. Also in 2008, Spanair Flight 5022 crashed because the pilots failed to use their checklists and flaps, but wait! Now a virus is being blamed, far beyond reason into hyperbole without objectivity. A Deputy Secretary of Defense confirmed a widespread outbreak of thumb-drive malware in 2008. This revelation was done to “highlight policy responses” by the Pentagon, but ,purely coincidentally, their budget is up for review. Current risks include massive frauds victimizing iTunes users via their PayPal accounts. And a 64-bit variant of an advanced rootkit, TLD3 has been observed by Symantec and Prevx. Microsoft and Symantec can’t agree on which botnet sends the most spam, as if it matters. Maybe it will two years from now.

Congratulations to our DBIR cover challenge winners! We once again offered cash prizes for the first three individuals to solve our puzzle. We received the second and third place solutions early today. The winners are:

First place: Michael Oglesby of Oklahoma

Second place: Jan Wiebelitz of Germany

Third place: Christopher Kunz of Germany

The RISK team would like to extend a warm thank you to you gentlemen, and to everyone else who participated in the contest for their hard work and their interest in our report. It took just shy of one month for all three winner slots to be filled. We will be releasing the details of the cover challenge over the next few days. If you would like to monitor the most recent twitter chatter, check out #DBIR. Nice job, guys.

Whoopee! We are so lucky this week! We all get to patch our Adobe Acrobat and Adobe Reader instances and race the criminals to see if we can patch faster than they can add it to their other Adobe sploits. Network Solutions took over first place from RIM in the biggest InfoSec headache category when lots of parked domains turned out to be offering up drive-by downloads.  ”Lots” because numbers are running from “millions ” to 120K, and rather than try to track that anatomy metrics contest, we’ll just go with “lots” since it gets the point across.  Returning to the InfoSec headache top ten is Heartland Payments who, best case, suffered a reputation attack when reports circulated they are at the bottom of Austin, TX area credit card frauds.  If you’re responsible for Internet-facing Cold Fusion deployments you should read this blog post from HP’s security evangelist; the Risk Team is unconvinced this will be used for attacks, but we want you to do your own assessment.  When you’re taking a break from pushing out 15 Microsoft and a handful of Adobe patches, please head over to Professor Steve Bellovin’s page at Columbia University and contribute to their Facebook privacy study.

Recently, I’ve seen two cloud computing advocates significantly dismiss the notion of a private cloud.  Basically, the complaint the cloudies offered was this:

“I’m a fan of private clouds, I just think that 90% of the corporate rationale for thinking private cloud is (bull).  If your rationale for building out a private cloud is just “general security”, you’re delusional or you’re the NSA.”

Similarly, I saw the statement:

“Security in cloud services can be constructed, maintained and operated at levels that are far beyond what’s cost-effective for almost any individual company or organization.”

With proof of this being a reference to a SaaS provider’s statement of ISO 27001 certification.

THE COST OF CLOUD COMPUTING

You never get something for nothing, right?

Read the rest of this entry »

If you like podcasts and you like our 2010 Data Breach Investigations Report, then this is your lucky day. Below you’ll find links to some podcasts we’ve done following the publication of the report in late July. We’re probably missing a few but this should get you started and we’ll add others as we find them or do them. Enjoy!

VZB Audio: http://www.verizonbusiness.com/resources/media/index-131070-dbir.xml

VZB Video: http://www.youtube.com/verizonbusiness

Threatpost: http://threatpost.com/en_us/blogs/alex-hutton-verizon-data-breach-investigations-report-081610

BankInfoSecurity: http://www.bankinfosecurity.com/podcasts.php?podcastID=644

FedNewsRadio: http://www.federalnewsradio.com/?nid=150&sid=2015737

ITAC: http://itacidentityblog.com/podcast-wade-baker-director-of-intelligence-risk-verizon-discusses-2010-verizon-data-breach-report

ZDNet AU: http://www.zdnet.com.au/data-breaches-it-s-criminals-again-339304943.htm?omnRef=NULL

Risky Business Australia: http://risky.biz/RB161

Secuobs France: http://www.secuobs.com/revue/news/244953.shtml

TV4 Sweden: http://www.tv4play.se/nyheter/nyhetskanalen?videoId=1.1742547

De Beveiligings update Netherlands: http://debeveiligingsupdate.nl/tag/verizon-business/

Patch frenzy!?! Ah,…nope. Our To-Do list got longer this week, but our concerns last week about curtailed August vacations appear to be unfounded, and I’ll cop to it. Microsoft issued 14 bulletins and Verizon Business Cybertrust Security customers have had our recommendations since Wednesday. Opera and Chrome updated for security reasons.The sun rose in the east, and Adobe patched Flash , AIR, Cold Fusion and Flash Media Server. VxWorks embedded OS has four new vulnerabilities that should be ACL’d to protect them. Apple updated for the “jailbreakme” vulnerability and an NVP publicized exploit code. Casandras have come out of the woodwork predicting doom. Systems are increasingly patching automatically-let them. For the rest, the Risk Team recommends you trust your existing patch management and enjoy the last month of Summer. Use the midnight oil on the squeaky wheels.

——————

UPDATE:

OK, seriously.  Whomever is dropping these hints off to Ryan Naraine http://www.zdnet.com/blog/security/verizon-dbir-challenge-clue-2/7148 at ZDNet:  You’re giving away too much.

——————

There’s been quite a bit of activity about the DBIR Cover Challenge on Twitter today (#DBIR).

Somehow, somebody is giving Ryan Naraine clues that he is posting over on ZDNet and Threatpost. Until we can stop these clues from leaking out, you’ll probably want to continue to monitor what Ryan is posting there and the activity and progress of DBIR cover crackers on twitter.

Some of you may remember that the 2009 Data Breach Investigations Report had an enciphered message embedded in the cover and a $500 prize for the first person to crack it. That took Grant Stavely about a day last year and the 2nd and 3rd place prizes ($100 each) were awarded a couple days later.

At least one person has asked if we did something similar in the 2010 DBIR. We’d like to go on record and announce that the 2010 DBIR Cover Challenge is officially on and that the $500 is still up for grabs (along with 2nd and 3rd place prizes). Beyond that, our lips are sealed. Happy hunting.

The risk environment improved this week with the publication of MS10-046 to patch the .LNK vulnerability first reported with the discovery of the Stuxnet Trojan. Regarding all of the fussing over governments demanding access to BlackBerry traffic, the risk environment has not seen significant changes. At worst, some BlackBerry users are going to lose access to some services, for the time being. Verizon Business customers traveling internationally on business should be aware some services may not function in some countries. More widespread impact may change over time, but it’s much too soon for hand-wringing. It’s too bad Microsoft doesn’t appreciate the proportion of the IT staff in the Northern Hemisphere who take vacations in August, because they’re pumping out a record 14 bulletins on Tuesday. Adobe will go out of cycle with an Acrobat and Adobe Reader patch the week of the 16th, and based on recent history, criminals will probably be attacking the vulnerabilility by then. Psst: Some folks, who really should know better, need to re-learn what “out-of-band” means.

We’re seeing some commentary on our 2010 DBIR that says something to the effect of “insiders are #1 threat” or “internal breaches are increasing.” Neither of these are true.

Granted, the percent of breaches that involve insiders is 22% higher in the 2010 DBIR than the 2009 version. We fully admit this is confusing and apologize if we did not clarify it enough in the report. The higher percentage of insiders is directly attributable to the Secret Service caseload which includes more internal breaches than our own. When you merge the two together, the “average” goes up. This does not mean there is an upward trend.

By examining the above chart (which is Figure 6 on page 13 of the DBIR)  you can see that neither the Verizon nor Secret Service data show a rising trendline for internal agents. The Verizon trendline is flat and the Secret Service actually shows a negative slope. In fact, of the three agent categories, outsiders are the only ones increasing in both datasets.

Bottom line: the increased percentage is not due to an increasing trend. It is purely the result of combining datasets.

Since the release of the 2010 DBIR last week, I’ve been doing some interviews and reading over public feedback. Quite a few times I’ve either been asked directly or read comments regarding our findings on Advanced Persistent Threats (APTs). Some simply wonder what our findings have to say about APTs, some say we’re “anti-APT”, and others claim we don’t give APT-related stats because we don’t investigate APT-related cases. There’s enough interest and speculation that I’d like to set the record straight.

In the report, we use the label of “hype” in reference to APT. This seems to have raised some hackles. I’m not sure why. One definition of hype is “excessive publicity and the ensuing commotion” and I’m at a loss for a more appropriate word to describe what I’ve witnessed of late. Do you really think the actual frequency of APT-related attacks/incidents this year has risen at an equal rate to the surrounding publicity and usage of the term APT? As stated in the DBIR, we are not denying that APTs are real. “Hype” is not the same as a “hoax.” Every definition I’ve seen for APT (there are quite a few) has a basis in reality. Your organization should evaluate and (if appropriate) plan/protect against attacks from nation-states and other highly skilled, aggressive, equipped, and persistent threats. It’s the “excessive publicity and ensuing commotion” rather than the concept itself that we tried to call out in the DBIR.

Read the rest of this entry »

Babel, (Genesis 11:1-9) is a good analogy for this past week. Imagine the cacophony that could be heard after the language was confused. Our most significant contribution to the InfoSec community this year took place with the publication of the latest edition of our Data Breach Investigations Report (DBIR).  One of the Risk Team’s key messages is: “Focus on the threats.” There is a flood of vulnerability data (not intelligence). It doesn’t matter unless some criminal or other threat uses it and causes loss. The DBIR provides threat intelligence in spades.  The “.LNK” vulnerability is near the top of most InfoSec pros anxiety list but it hasn’t “gone big”. However, the Zeus gang has adopted it and they are a threat.  The American Bankers Association is telling customers their members alone can’t protect consumers’ accounts and that by “partnering” it is possible to shift some of the defensive burden onto individuals (customers) to monitor their own accounts on a “continuous, almost daily basis.” Our colleague William H. Murray drilled the Risk Team years ago, “it’s the data!” Wikileeks is painfully drilling that lesson into the US Military with no regard for the consequences. The vulnerability noise from Nevada was insignificant compared to the threat and impact lessons of the week.

Get it here.

As many of you know, we publish a series of reports covering forensic engagements worked by Verizon’s Investigative Response team. For the past several years we’ve dug into the who, what, when, where, how, and why of organizational data breaches and passed our findings on to you in the DBIR. We’re big proponents of the belief that you can’t manage what you can’t measure and so are always looking for better ways to measure factors critical to managing security. Analyzing first-hand evidence collected during breach investigations offers a rare and powerful chance to do this.

We’ve already announced that this year’s DBIR is a joint effort between Verizon and the U.S. Secret Service. We hope you’ll benefit from (and enjoy) the results, analysis, recommendations, and commentary in the report. However, we also hope that you will recognize it as a proof point that sensitive data can be shared anonymously, responsibly, securely, and effectively between organizations. Our field is in desperate need of more high-quality accessible data and collaborating among ourselves is the only way we’re going to get there.

This report is interesting in terms of analyzing trends. Last year, we reported on our own caseload. This year, we added an entirely new dataset. It shouldn’t be surprising that this changed some of our results substantially. We discuss these changes and potential reasons for them throughout the report. Equally interesting to the those changes, however, are the results that didn’t change. We’ve always wondered (and so have you) whether certain findings were unique to Verizon’s caseload or truly indicative of the general population. The fact that Secret Service data shows many results that are very similar to our own is a compelling revelation.

Read the rest of this entry »

As you may remember, we released a beta version of the VERIS framework back in March. Since then, we’ve received helpful feedback from the public as well as organizations that have begun to implement and use VERIS. We’ve updated VERIS accordingly and now believe it is ready to move from beta to version 1. Starting today, you can access v1 at the new VERIS wiki.

This does not mean that VERIS is final; in fact, it never will be. It is meant to be an evolving framework that reflects current community input. The wiki will allow anyone to comment, post suggestions, or otherwise discuss the various elements of VERIS. This will help ensure that the framework remains a useful and viable structure for information sharing within the security community. We invite you to participate.

For those of you not familiar with VERIS, it is a set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. It is what we use to collect and analyze case details for the Data Breach Investigations Report. The overall goal is to create a foundation for data-driven decision-making and risk management. You can view an executive summary here.

Finally, we would be remiss if we did not give a heads up on the imminent release of the 2010 DBIR. It will be released this Wednesday, July 28. VERIS is what allowed data sharing between Verizon and the United States Secret Service and we look forward to sharing our findings with you.

Tuesday, September 21st, 1976: The classic M*A*S*H* hour-long “Bug Out” episode aired. What’s that got to do with InfoSec risk this week? Not a blessed thing, and that’s the point. There’s a new vulnerability in Windows and there’s malware in the wild exploiting it. But this is not the time to strike the tents, jump in the trucks and beat feet. It’s just another worm folks. In a year we’ll remember it about as well as we remember Conficker. The silver lining might be torque on bean-counters’ arms to free up the bucks (Euro, Yen, Pounds, Riyals) to finally ditch XPSP2. Microsoft, Google and others came out with “Coordinated Vulnerability Disclosure,” and ditching the expression “responsible disclosure” in the process. Good luck with that. Society has yet to establish an accepted norm for IT vulnerability handling. Ideally this new effort will accomplish that, but there will always be individuals who reject the social contract for their own selfish, irresponsible reasons.