Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/19/2009
05:49 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Tippett: Use Application Logs To Catch Data Breaches

At CSI/SX, Verizon Business' Peter Tippett talks trends and lessons learned in data breaches

LAS VEGAS -- CSI/SX -- Given the nature of data breaches today, organizations are better off saving money and doing "lightweight" security testing across more of their infrastructure than conducting deep assessments across a few systems, Peter Tippett, vice president of innovation and technology for Verizon Business, told attendees at the Computer Security Institute (CSI) Security Exchange conference here this week.

And Tippett says application logs are the more effective way to monitor breaches than the traditional signature-based network devices like IDSes or even firewall logs: according to data from Verizon's second annual breach report, most attacks came out of the bad guys using stolen passwords. "Signature-based IDS doesn't work -- signatures tend not to happen [in these attacks]," Tippett said. "Most attacks are when the bad guy uses a legitimate password, and we put IDS on the critical machines, but the attack is on these non-critical machines that gets the [bad guy] to the critical machine."

It's those oft-forgotten machines that are more at risk, he said. "They don't attack critical machines. They attack the stupid machines no one pays attention to," Tippett said.

The number one attack method used in most breaches is the old standby, the stolen password, according to Verizon's data, followed by SQL injection and attacks that take advantage of improperly configured Access Control Lists (ACLs). While Web applications are a major attack vector, remote access via SSH, VNC, and PC-Anyware, is as well, Tippett said. "And we don't spend much on that" in security, he said.

Over 80 percent of the time, the application log data that Verizon Business gathers from its clients in its forensic investigations could have stopped an attack had the enterprise been watching those logs. "It turns out, of all the things that you could monitor -- IDS, firewall, etc. -- it's stronger to look at the application logs. 82 percent of the time we showed [the client's] management the log proof that [a breach occurred]. If they had seen that log [initially], it would've stopped it," Tippett said.

And two-thirds of the breaches last year involved stolen data records sitting on less-secure systems -- and the organization hadn't even known they were there. "You don't need to spend a million on data leakage protection. Stick a sniffer where the data should be and see where it goes," Tippett said. "Turn off vulnerability testing and do discovery testing" to locate sensitive data that could be exposed, he said. "That could take care of a significant proportion of data loss."

One-fourth of the breach cases were traced to an unknown network connection. "No one was paying attention," he said. "90 percent of all cases involve one of three unknowns: asset/data, connection, or user privileges."

Although targeted attacks accounted for 28 percent of the breaches in '08 (twice as many as last year), Tippett said most attacks were "opportunistic," and 74 percent came from the outside, not the feared insider attack. One-third were partner-related, he said: "That means people who had permission to use your systems."

Two-thirds of the cases involved hacking, and two-thirds didn't use malware at all, according to Verizon's data.

And the number of breach cases using a zero-day attack over the past five years: zero, Tippett said. "Not a single case that got anyone to the front page involved a vulnerability that was less than six months old," he said.

How long does it take cybercriminals to get in and take data out? According to Verizon's findings, the average is a little over one day. And in most cases, Tippett said, it took over an hour to get in and get the stolen data out of the victim organization.

Even more worrisome is how long it takes the victims to figure it out. More than 50 percent didn't discover their breach for several months, and then it takes them weeks to shut it down, Tippett said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21360
PUBLISHED: 2021-03-09
Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic ...
CVE-2021-21361
PUBLISHED: 2021-03-09
The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. This is fixed...
CVE-2021-24033
PUBLISHED: 2021-03-09
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoke...
CVE-2021-21510
PUBLISHED: 2021-03-08
Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.
CVE-2020-27575
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.