Breach, Data Security, Malware

Study finds payment card info most compromised, breach detection lags

Payment card data continues to make up the bulk of information compromised though non-payment card data was the centerpiece of 45 percent of the data thefts last year, according to the "2014 Trustwave Global Security Report."

The report's findings, based on information gathered and analyzed by the security company's experts about 691 breach investigations in 24 countries, revealed a 33 percent increase in the theft of financial credentials, PII, customer records, internal communications and other sensitive information not affiliated with payment cards. Theft of financial account credentials alone increased 22 percent.

Saying that payment card data is still in demand, “that doesn't mean other types of data are not lucrative,” Karl Sigler, Threat Intelligence Manager at Trustwave, told in Wednesday email correspondence. He noted that criminals who cast a wide net with malware “often don't get to choose their payoff” and capture user credentials, confidential documents and other “data useful for identity theft" and other cyber crimes.

"Most data has some value attached and it's just a matter for criminals to parse it out and find a buyer,” he said.

In 54 percent of the cases e-commerce was targeted and point-of-sale breaches comprised 33 percent of Trustwave's investigations. As in last year's report, the retail industry was the top target of attackers, accounting for 35 percent of attacks, followed by food and beverage at 18 percent.

The U.S. was home to the most victims (59 percent) with the U.K. ranked a distant second at 14 percent. But it seems the U.S. gave as good as it got — hosting 42 percent of the malware investigated by Trustwave, well ahead to second-ranked Russia at 13 percent and Germany at nine percent.

The bulk of malicious spam included malicious attachments (59 percent) while 41 percent included malicious links. Java applets continued to be the delivery method of choice, used in 78 percent of the exploits. The Blackhole exploit kit topped the list as the malware of choice for yet another year at 49 percent, though its prevalence was down from 60 percent in 2012, in large part due to the arrest of its creator, who goes by the name of “Paunch.”

Attackers' ploys were made easier by weak user passwords, which help them gain entrée in 31 percent of the 2013 incidents that Trustwave analyzed.

And organizations struggled to detect and contain breaches — the report's findings show the 71 percent of victims do not detect breaches themselves. And that makes a difference in containment times. For those organizations that self-detected, the median number of days between a breach and containment was one. But for those breaches detected by a third party such as a regulatory body or law enforcement, the median number of days until containment was 14.

Experts also found that the median span between initial intrusion and detection was 87 days and from detection to containment was seven days. Once discovered, 67 percent of victims could contain a breach within 10 days.

“Very few organizations have the capability to detect an intrusion themselves,” Sigler said. But the longer detection periods give “attackers the opportunity to cause more damage, entrench their presence on the victim's network, and exfiltrate more data.”

As a result, it takes longer to recover from a breach, noting that during the extra 13 days it took to detect a breach among those who relied on third party detection “there's a lot of data that hackers can steal in 13 days.”

Detection is made all the more difficult because it requires “logging network, application and operating system activity” as well as human intervention “ to look through these logs with an understanding of the security implications,” Sigler said, explaining that many companies just don't have those capabilities in place.

Sigler noted that organizations are improving incident response, which he referred to along with computer forensics as an art as much as science.

Although there is still a noticeable lag between discovery and containment in this year's report, the gap closed significantly over 2012 when in half of the compromises it took the victim four months from initial intrusion to containment.

Sigler noted that organizations are improving incident response, which he referred to along with computer forensics as an art as much as science.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.