Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/19/2009
05:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tippett: Use Application Logs To Catch Data Breaches

At CSI/SX, Verizon Business' Peter Tippett talks trends and lessons learned in data breaches

LAS VEGAS -- CSI/SX -- Given the nature of data breaches today, organizations are better off saving money and doing "lightweight" security testing across more of their infrastructure than conducting deep assessments across a few systems, Peter Tippett, vice president of innovation and technology for Verizon Business, told attendees at the Computer Security Institute (CSI) Security Exchange conference here this week.

And Tippett says application logs are the more effective way to monitor breaches than the traditional signature-based network devices like IDSes or even firewall logs: according to data from Verizon's second annual breach report, most attacks came out of the bad guys using stolen passwords. "Signature-based IDS doesn't work -- signatures tend not to happen [in these attacks]," Tippett said. "Most attacks are when the bad guy uses a legitimate password, and we put IDS on the critical machines, but the attack is on these non-critical machines that gets the [bad guy] to the critical machine."

It's those oft-forgotten machines that are more at risk, he said. "They don't attack critical machines. They attack the stupid machines no one pays attention to," Tippett said.

The number one attack method used in most breaches is the old standby, the stolen password, according to Verizon's data, followed by SQL injection and attacks that take advantage of improperly configured Access Control Lists (ACLs). While Web applications are a major attack vector, remote access via SSH, VNC, and PC-Anyware, is as well, Tippett said. "And we don't spend much on that" in security, he said.

Over 80 percent of the time, the application log data that Verizon Business gathers from its clients in its forensic investigations could have stopped an attack had the enterprise been watching those logs. "It turns out, of all the things that you could monitor -- IDS, firewall, etc. -- it's stronger to look at the application logs. 82 percent of the time we showed [the client's] management the log proof that [a breach occurred]. If they had seen that log [initially], it would've stopped it," Tippett said.

And two-thirds of the breaches last year involved stolen data records sitting on less-secure systems -- and the organization hadn't even known they were there. "You don't need to spend a million on data leakage protection. Stick a sniffer where the data should be and see where it goes," Tippett said. "Turn off vulnerability testing and do discovery testing" to locate sensitive data that could be exposed, he said. "That could take care of a significant proportion of data loss."

One-fourth of the breach cases were traced to an unknown network connection. "No one was paying attention," he said. "90 percent of all cases involve one of three unknowns: asset/data, connection, or user privileges."

Although targeted attacks accounted for 28 percent of the breaches in '08 (twice as many as last year), Tippett said most attacks were "opportunistic," and 74 percent came from the outside, not the feared insider attack. One-third were partner-related, he said: "That means people who had permission to use your systems."

Two-thirds of the cases involved hacking, and two-thirds didn't use malware at all, according to Verizon's data.

And the number of breach cases using a zero-day attack over the past five years: zero, Tippett said. "Not a single case that got anyone to the front page involved a vulnerability that was less than six months old," he said.

How long does it take cybercriminals to get in and take data out? According to Verizon's findings, the average is a little over one day. And in most cases, Tippett said, it took over an hour to get in and get the stolen data out of the victim organization.

Even more worrisome is how long it takes the victims to figure it out. More than 50 percent didn't discover their breach for several months, and then it takes them weeks to shut it down, Tippett said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15237
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
CVE-2019-15228
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
CVE-2019-15229
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
CVE-2019-15231
PUBLISHED: 2019-08-20
Webmin 1.890, in a default installation, contains a backdoor that allows an unauthenticated attacker to remotely execute commands. This is different from CVE-2019-15107. NOTE: as of 2019-08-19, the vendor reports that "at some point" malicious code was inserted into their build infrastruct...
CVE-2019-15232
PUBLISHED: 2019-08-20
Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.