Attacks/Breaches
10/5/2011
01:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Most Businesses Don't Spot Hack Attacks

Congress hears testimony that most businesses are told by government agencies and law enforcement that they've been hacked, and that better security data sharing is needed.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Out of the last 50 forensic investigations that information security company Mandiant has conducted, 48 of the businesses involved didn't know they'd been breached until informed by law enforcement agencies, Mandiant CEO Kevin Mandia told the House Intelligence Committee on Tuesday.

How could so many businesses not know when they'd been hacked? According to Mandia, advanced attacks--once reserved for use against government agencies--are now being used with greater frequency against businesses. Attackers have also become expert at using malware to compromise legitimate networks, then using them to launch botnet-driven attacks against other targets.

Furthermore, attackers are getting better at routing around known security defenses. "We routinely witness attackers circumvent conventional safeguards deployed to prevent and detect security breaches," Mandia told legislators. "Virtually all of these intrusions belong to the growing subset of advanced threats that usually evade off-the-shelf technologies that American corporations rely upon--oftentimes exclusively--for their defense."

[ Once you do discover that you've breached, do you know how to respond? Read Data Breach Response Plans: Is Yours Ready? ]

That combination of factors helps explain why businesses have been getting worse at detecting breaches. "I've been tracking how organizations detect that they've had a breach since 1998," said Mandia in an interview. Initially, many businesses spotted when they'd been attacked. But by 2004, he said attack-detection rates had declined, with only 20% of businesses spotting when they'd been hacked. Based on recent breaches, the detection rate has fallen to just 4%.

Why are law enforcement agencies spotting so many breaches, while businesses remain in the dark? "During normal law enforcement tradecraft, the FBI in particular is learning so much about the adversary that they're seeing downstream victims. And each military branch is doing it as well. The Air Force, Army, and Navy are also learning a lot more about the threats than the private sector is," said Mandia. Primarily, he sees the FBI, as well as the Defense Criminal Investigative Service (DCIS) and the Naval Criminal Investigative Service (NCIS), reaching out to inform businesses they've been hacked.

The extent to which law enforcement agencies alert businesses that they've been breached was likewise highlighted earlier this year by Steven Chabinsky, deputy assistant director of the FBI's cyber division. "It's often the case now that the FBI is informing people that they've been victimized, rather than victims coming to the FBI," he said in an interview.

For businesses to better resist these attacks, they'd ideally have access to the threat intelligence being produced by government agencies--and that was the theme of Tuesday's committee hearing. But such information-sharing today is virtually nonexistent. "Let me be clear: This stuff is overprotected. It is far easier to learn about physical threats to the U.S. from U.S. government agencies than it is to learn about cyber threats," Michael Hayden, a former director of both the CIA and NSA, told the committee.

"In the popular culture, the availability of 200,000 applications for my smartphone is viewed as an unalloyed good. It is not--since each represents a potential vulnerability," he said. "But if we want to shift the popular culture, we need a broader flow of information to corporations and individuals to educate them on the threat."

According to Mandia, "basically the private sector is hemorrhaging intellectual property now based on a series of online intrusions, and they can't do anything about it."

But one overriding question is, how might the government usefully go about sharing cyber attack intelligence, for starters with businesses? "It's tough, and it's kind of a nerdy thing to say, but I think it starts with the standardization of how you share the information. It needs to be like a file that you just input and hit the 'go' button," he said.

"The minute that's codified, the private sector can pretty much start to safeguard themselves," he said. "The knowledge gleaned from the premier information security program in your industry will be shared on down throughout the industry. So the minute we can share intelligence through technology, you'll see the private sector begin to respond to these attacks much more quickly."

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SKELLOGG921
50%
50%
SKELLOGG921,
User Rank: Apprentice
10/17/2011 | 4:17:29 PM
re: Most Businesses Don't Spot Hack Attacks
I have to agree with jrapoza. Corperations need to take IT security a little more seriously. Also the IT staff could use more training so they can be better prepared in case of an attack. Just having AV software is not enough, most can be easily hijacked using kidde-scripts. Also if they are doing security audits they should listen to the experts advice and implement a plan. Penetration testing helps too, it shows you your weeknesses. It seems far fetched that companies will invest much more money into security but we can always hope.
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
10/6/2011 | 4:26:12 PM
re: Most Businesses Don't Spot Hack Attacks
I think to a large degree this is due to many companies not investing in security and also, many that do don't go much further than the basic features of their products and don't get into deep analysis and monitoring.
There's also a part of me that thinks there are more than a few companies who don't want to find out about breaches because then they can claim ignorance.

Jim Rapoza, Contributing Editor, InformationWeek
Bprince
50%
50%
Bprince,
User Rank: Ninja
10/6/2011 | 12:50:30 PM
re: Most Businesses Don't Spot Hack Attacks
That's pretty amazing. I wonder what the two companies that did know were doing from a security perspective the other 48 weren't. Or if they were just lucky.
Brian Prince, InformationWeek contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.