December 22, 2014

Security Breach Roundup: A Heavy Dose of Scary Security Facts and Suppositions

Bookmark and Share

We’re taking a slightly different tack than usual with this month’s security breach report by focusing on a couple of security studies and an interview with a high-profile security expert, although we will report on one high-profile breach at a certain U.S. space agency.

Clarke Asserts China Has Hacked Every Major U.S. Company

After reading this first item it’s tempting to just stop doing these roundups and make a simple declaration: everyone’s been breached. We can stop counting.

But the warning from Richard Clarke, a former terrorism, cybersecurity and cyberterrorism advisor for the White House, is quite serious, as reported by Ron Rosenbaum in a fascinating interview in the Smithsonian:

“I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong,” he tells me. “Every major company in the United States has already been penetrated by China…

“My greatest fear,” Clarke says, “is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China….After a while you can’t compete.”

This from the man that was desperately trying to tell the president that Bin Laden was planning to attack the US before 9/11 and was right on the money when it came to Al Qaeda. Let’s hope we pay more attention to this warning.

Verizon Study Quantifies the Rise of Hacktivism

If you work for a big company and that doesn’t scare you, maybe this will. From Forbes:

On Thursday, Verizon released its annual Data Breach Investigations Report, [PDF here] the largest study of its kind, and one that delves into data from hundreds of the company’s breach responses, along with those performed by law enforcement agencies including the U.S. Secret Service as well as Australian, Dutch, U.K. and Irish police. The result of this year’s study is clear enough: In 2011, hacktivists made their presence felt in the world of information security more than ever before, and by some measures even more than the financial criminals who usually dominate data breach statistics.

Of the 855 breach incidents from the last year that Verizon’s security team analyzed, three percent were attributed to “hacktivists.” That may seem like a small proportion, but Verizon’s director of security research Wade Baker says it’s giant compared to the same category in previous studies, which barely created a blip on Verizon’s radar last year and accounted for less than one percent of incidents. Narrow the field of victims to only large organizations, which hackers within Anonymous and its splinters target for maximum exposure, and the number of hacktivist incidents rises to 25%.
But the real impact of last year’s radical hacktivism can be seen in the numbers of actual compromised records–each one representing data attached to an individual. Of the 177 million records stolen by hackers over the last year, 100 million were taken by hacktivists. The stats don’t even include common hacktivist techniques like website takedowns with denial of service attacks or defacements, instead focusing only on actual data theft.

That means more than one out of every two stolen records is the result of hacktivism. Looking at it another way, the hacktivists are beating the criminals.

Data Breach Costs Dip – But Hold the Celebration

If you need a bit of good news after those little nuggets, here it is, from the annual Ponemon Institute data breach cost study, (PDF) as reported by SmartPlanet:

For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The study, which examined 49 data breach cases with a range of nearly 4,500 to 98,000 affected records, found the average cost per affected record declined from $214 to $194. The organizational cost declined from $7.2 million to $5.5 million.

That’s the good news. Here’s the bad:

There is a huge Achilles’ Heel in data security, and that is insiders with privileged — and often unmonitored — access. The greatest data security vulnerability is slackers, not hackers, the survey finds. Thirty-nine percent of companies said insider negligence was the root cause of the data breaches. Most breaches occur because of employee mistakes and lax operating procedures. As companies grow, many fail to put training and protocols in place to safeguard data. Others delegate data protection to the IT department, which does little to protect against human error, the Ponemon report claims.

NASA Admits to Security Breach and Blames – You Guessed It – the Chinese

To bring this month’s report full-circle, we have this account of an actual breach – at NASA, of all places. As the Web Host Industry Review reported in early March:

Hackers successfully breached networks at NASA’s Jet Propulsion Laboratory last November, where they were able to install malware, delete or steal private information, and take control of user accounts to access privileged sections of the network, according to a report released this week from the National Aeronautics and Space Administration’s inspector general.

If there is anything to learn from the multiple security breaches at NASA, it is that no single hosting environment is ever fully secure. After all, NASA has an annual IT security budget of $58 million and hosts all its content in-house on its own infrastructure, built by some of the brightest minds in the world, and yet its network was successfully hacked on multiple accounts.

The breach was found to originate from Chinese-based IP addresses, where hackers were able to hijack the accounts of “privileged JPL users” to gain “full access to key JPL systems,” Inspector General Paul K. Martin wrote in a report to Congress.

Seriously, if the Jet Propulsion Laboratory is being breached, what does a Pearl Harbor moment look like?