Tuesday 19 April 2011

2011 Verizon DBIR Out - It's still the basics that matter

It's Verizon DBIR time again, which means another fascinating look at how the data breach landscape has been developing over the year.

As always the report is packed with interesting information and I'd recommend that it's worth reading all the way through. However there were a couple of themes that emerged that I thought would be worth specifically pulling out an commenting on.

It's still the basics that matter - Looking at the hacking methods mentioned in the report, right up near the top is ... "exploitation of default or guessable credentials", and next in line behind it is "brute force and dictionary attacks". There's two fairly obvious points that come out of this.

Firstly is password/credential management. For large companies perhaps that means using enterprise password managment solutions that allow for one-time access passwords, but even small companies can benefit from using things like password safes, to ensure that strong passwords are in use for all accounts. The simple fact is that humans are bad a remembering complex strings, and computers are pretty good at it, so using password safes (whilst it brings its own risks) could be a means of moving to a stronger password approach.

Secondly this ties into a later point in the report about lack of detection in security. Brute force attacks are noisy and really easy to see in any security log, yet they're a tool of choice for attackers. Some basic intrusion detection/reaction capabilities could help to spot and defend against this kind of attack. It's well worth looking at projects like OSSEC for some options.

Carrying on the theme of basic controls that could really help, the quanitity of attackers using backdoors on compromised systems is noticable. Basically once the attackers get onto your systems they'll look to get persistent access and backdoors/rootkits are a good way to go about it.

Defending against these isn't always easy as they'll commonly avoid Malware detection (DBIR reckons that 60% of malware seen in breaches had been customized), but firewall egress filtering could be another (rarely deployed) option to combat this.

It's worth thinking about your server estate and, for DMZs, thinking "do my servers really need to initiate any outbound connections to the Internet". In many cases they won't (beyond things like DNS lookup), so block outbound access. At the least, it'll make the attackers job harder and make it easier to detect what they're doing..

The last one that I'd comment on is the persistent lack of detective controls (IDS/Log review). It's a shame to see this as the systems to gather the relevant information exist and have been around for a long time, but companies still seem to view it as not worth the cost. The point that data relevant to the breach was in place in 69% of cases but that log analysis and review accounted for a whopping 0% of detection of breaches is a pretty stark point.

All in all it's a really interesting read, and hopefully we'll see many more effort along the same line, bringing some hard data to help guide security investment.

No comments:

Post a Comment