Compliance|Computer & Network Security|Information Security|Research

2015 Cyber Security Awareness Month

What is Cybersecurity?

According to US-CERT, “The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.”

In other words, it is the people, processes and technology that manage or maintain the Integrity, Availability, and Confidentiality of the systems and data with which an organization functions.  Many times these roles are shared with IT which in turn can come with its own challenges.  Often times, IT is focuses solely on availability, or up-time and ease of use, and both confidentiality and integrity can be counterproductive to maintaining availability.

We want to help organizations become aware of ways they can protect this data and still maintain user effectiveness.  Why should organizations be concerned with cybersecurity?


Organizations today face an ever increasing risk of cybersecurity attack.  This can come in many forms from phishing, insider threats, zero-day attacks, DDoS, and malware.  The risks can be high and can include down-time, loss of revenue, litigation, fines and lost customer information.  Often times, organizations do not have the in-house expertise to address these threats.  The media and marketing also try convince everyone that more products will improve security, but this isn’t always true.  Security is a process and not a product.  We continue to advise and train our clients on top things to consider when securing an organization:

  1. Patch Management – Network devices, servers and workstations must stay update to date with patches, and not only OS patches, but also third party applications like Adobe and Java.
  2. Risk Assessments – How do you know what you are missing if you don’t look?  How do you know what to protect if you don’t know where it is?
  3. Data Classification – If all of the data is mixed together, how can you protect it?
  4. Network Monitoring and Testing – Understand your network.  Know where it is vulnerable, and check regularly.
  5. Data Encryption – If it’s encrypted, and it’s lost, it can’t be used.  This is also shown to decrease the cost per record in a breach.
  6. User Training – Users are accessing data every day and are the largest attack surface in an organization.  Security needs to be at the top of their minds too.
  7. Authentication – Password management is often the first line of defense for an organization.
  8. Separation of Duties – If your account isn’t allowed to do everything, then, if you are compromised, you can protect some things.
  9. Centralized Logging – If you aren’t storing logs and correlating them, you may be missing key indicators of compromise.
  10. Physical Security – What good is a high priced network infrastructure if someone can walk in the front door and plug into it?
  11. Auditing – Sometimes, it’s hard to see the forest for the trees.  Auditing can help you keep the trees in view and make sure you aren’t missing something.

Cyber-security: A Year In Review

What are the threats, by the numbers?

ISACA’s 2015 Global Cybersecurity Status Report asked over 3000 respondents questions about cyber security.  83% said cyberattacks are among the three largest threats to their organizations, and 46% expect a cyber attack to strike their organization in 2015.

Symantec’s Internet Security Threat Report for 2015 reported that the top 5 zero-day vulnerabilities in 2014 were actively exploited by attackers for a combined 295 days before patches were available.  In other words, patching and AV alone isn’t going to protect anyone from zero-day attacks.

Ransomware attacks grew 113% in 2014 along with 45 times more crypto-ransomware attacks.

IBM’s 2015 Cost of a Data Breach Study surveyed 350 companies in 11 countries.  They found the average total cost of a data breach to be $3.79million.

The average cost per lost or stolen record was $154/record, but increased to $363/record in healthcare, $300/record in education and $215/record in financial institutions.

According to the 2015 Verizon Breach Report, 60% of attackers were able to compromise an organization within minutes.

23% of recipients now open phishing messages and 11% click on attachments and nearly 50% open and click within the first 4 hours.  We can also agree with this number based on our social engineering tests on organizations.

Nearly 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Only .03% out of tens of millions of mobile devices were infected with truly malicious exploits.  They don’t seem to be a preferred attack vector for malware.

Why is this a problem?

According to Raytheon’s 2015 Global Megatrends in Cybersecurity, Only 34% of over 1000 respondents said that they thought their organizations were prepared and keeping up with technologies and the “Internet of Things.”

Over 67% of the respondents said that their organizations need more knowledgeable and experienced security professionals.

How can we prepare?

Respondents saw the following security technologies having the biggest increase in importance over the next 3 years:

  1. Encryption of Data at Rest
  2. Big Data Analytics
  3. SIEM – Security Information and Event Management
  4. Forensics
  5. Encryption of Data in Transit

They also see the following top factors providing the most improvement in their overall security posture over the next 3 years:

Improving Cybersecurity Posture

The IBM study found the following factors that can influence the the cost per record of a data breach:

Increase/Decrease cost per record of a data breach.
This figure shows factors that can increase or decrease the cost per record of a data breach.
Compliance|Computer & Network Security|Information Security|Research

Trustwave Global Security Report 2014: An Overview

The Trustwave Global Security Report for 2014 was recently released.  There are a number of very useful and insightful statistics in this report, which we can corroborate, based on our assessments of numerous organizations’ networks.  We wanted to highlight a few of these statistics below:

Top 10 Internal Network Penetration Test Vulnerabilities

which include weak passwords, shared accounts, and unencrypted storage


[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Top 10 External Network Penetration Test Vulnerabilities

– which include default SNMP strings and weak passwords:


[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Top 10 Web Application Vulnerabilities

– including path traversal, authentication bypass, SQL injection, unencrypted pages and XSS, just showing that the OWASP top 10 is alive and well


[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Passwords were the cause of a compromise 31% of the time

– it’s time to start upping the requirements for password length and complexity

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Criminals relied most heavily on

Java applets as a malware delivery method

– Java and Adobe often have the top number of vulnerabilities when we assess an organization. Patch schedules for these products are essential.

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

71% of victims did not detect a breach themselves

– who wants their client notifying them of a breach. It’s time to implement defense in depth strategies with IDS/IPS protection and SIEM solutions

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

67% of victimes were able to contain a breach within 10 days upon discovery, however, the median number of days

from intrusion to detection was 87

– organizations just need to know it happened; in general they can handle the situation well once they know

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Top Intrusion Indicators Include:

anomalous account activity, unexplained or suspicious outbound data, new and/or suspicious files dropped, geographic anomalies in logins, registry changes, log tampering, anti-virus tampering, services added/stopped/paused and more

– learning to recognize these signs or implementing tools that correlate these types of events can help in self detection

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Over 13 client side zero-day vulnerabilities

were actively exploited in 2013

– again, it is essential to have a patching procedure

for third party plugins and apps

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

78% of detected exploits were Java related

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Botnet analysis showed a continuing trend of using common and compromised passwords across multiple sites

– consider auditing for passwords that should not be allowed in your organization

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Microsoft SQL Server was the only database that did not experience any known vulnerabilities in 2013

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

Android and iOS both had a number of vulnerabilities 

– don’t assume that something is more secure based on social stigma, make sure all of your mobile devices are managed

[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]

In conclusion, I suggest everyone take a look at this report and take note of some of the recurring elements in any of these reports.  Organizations need stronger passwords and they need to patch their stuff.  Those two steps alone will mitigate a number of risks.

You can download the full report here.

Compliance|Computer & Network Security|Information Security|Research

Verizon Breach Report 2013: What Does It Mean For Your Organization

Each year Verizon releases their Breach Report; it is sort of a state of the union with regard to last year’s breaches.  It is worthy research to help determine the industry trends that could help steer the budgets and focus of IT departments.  This year’s report includes 1,367 Confirmed Data Breaches, and 63,437 Security Incidents.

No one is immune:

[av_image src=’×126.jpg’ attachment=’1929′ align=’center’ animation=’no-animation’ link=” target=”]

According to the report, 92% of all breaches can be categorized in 9 groups.  Here is a summary of things every organization should be doing to keep from being included in next year’s report:

  • Restrict Remote Access
  • Enforce Password Policies
  • Deploy AV
  • Employ Network Monitoring
  • Reconsider Network Topologies and Connectivity
  • Two Factor Authentication
  • AppDevs use the OWASP Top Ten
  • Information Management – Where is your data and who has access?
  • Review User Accounts
  • Encrypt Devices
  • Use mobile device management systems
  • Patch Your Stuff
  • Implement Change Management
  • Maintain Logs
  • Monitor your corporate email addresses for breaches:

Let’s break down the sections for quick overview of the report:

Point-Of-Sale Intrusions

In 2013 over 99% of POS intrusions were initiated by external parties, but even worse, in 99% of the cases an external party (law enforcement. fraud detection or customer) notified the organization of the breach.  So this begs the question, Is Compliance Enough?

What can you do?

  • Restrict Remote Access
  • Enforce Password Policies
  • Use POS systems only for POS activities
  • Deploy AV
  • Employ Network Monitoring
  • Reconsider Network Topologies and Connectivity

Web App Attacks

Applications are vulnerable from many fronts.  The attack vector is almost always in the OWASP Top Ten and Developers need to be familiar with each item in the top ten.  60% of compromises occur within minutes of an attack.  Over 85% of attacks are discovered in days, and 50% can take months or longer to discover.  So while discovery is the area that needs the most focus, most organization, once they discover the attack, respond within days.

What can you do?

  • Two Factor Authentication
  • Strongly Consider your CMS
  • Validate Inputs
  • Enforce Lockouts
  • Monitor Outbound Connections

Insider and Privilege Misuse

Most crimes by trusted parties are perpetrated for personal or financial gain.  In 71% of these incidents the attack began on the corporate LAN, and 28% took advantage of physical access within the corporate facility. This means that most of these types of attacks take place at work.    72% of these attacks were perpetrated for financial gain, and in 70% of intellectual property theft the person stole information within 30 days of announcing their resignation.

What can you do?

  • Information Management – Where is your data and who has access?
  • Review User Accounts
  • What data that leaves your network
  • Publish Audit Results

Physical Theft and Loss

Corporate assets are stolen more often than vehicles or residences, and 40% of thefts involve mobile assets.  80% of these thefts allowed a user to gain access through disabled or bypassed controls.

What can you do?

  • Encrypt Devices
  • Encrypt Devices!
  • Use mobile device management systems
  • Segregate Secure Data (logically and physically)
  • Consider preventing secure data from being mobile

Miscellaneous Errors

Almost all data breaches include some element of human error.  Misdelivery (sending paper documents or emails to the wrong recipient) is the most frequently seen error resulting in data disclosure.  According to the report, “government organizations frequently deliver non-public information to the wrong recipient; so much so, in fact, that we had to remove it from [one of our figures] so that you could see the other error varieties.

What can you do?

  • Implement a DLP Solution
  • Create better publishing policies
  • Control what is trashed and what is shredded


Zeus is still number one in malware attacks.  Statistics in this area are difficult to manifest because there are variables such as instead of removing a virus, the machine is just wiped.  Additionally, often times the partners who report these outbreaks never know about them.

What can you do?

  • Patch Your Stuff
  • Keep Browsers up to Date
  • Disable Java in the Browser
  • Use Two-Factor Authentication
  • Implement Change Management
  • Leverage threat feeds

Payment Card Skimmers

100% of incidents involved data disclosure.  Most skimming occurred at ATMs and gas pumps.

What can you do?

Cyber Espionage

According to Verizon, “Strategic website compromises (SWCs) have proven to be an effective tactic of state-affiliated threats to infiltrate the networks of target organizations.”  Over 75% of compromises took advantage of browser based zero-day vulnerabilities.

What can you do?

  • Patch Your Stuff
  • Make Sure AV is Up to Date
  • Train Users
  • Segment Networks
  • Maintain Logs

DOS Attacks

No data was disclosed as a result of a DoS attack.  The average attack utilized a sustained 10Mbps of bandwidth.  The amount of traffic in the Spamhaus attack ranged from 85-120Gbps. Yikes!

What can you do?

  • Turn off unused ports and services
  • Segregate essential IPs from unused IPs
  • Contact your provider about anti-DDoS services
  • Have a plan in place
  • Know your servers’ limits