06-09-14 | Blog Post

What took so long? How data breaches can go months without being detected

Blog Posts

After the recent eBay data breach in which more than 145 million user records were reportedly compromised by hackers, the internet is once again full of stories about consumers demanding better protection, analysts blaming organizations for not following basic cybersecurity protocol, and tales of hackers that are simply out-sophisticating sophisticated security (eBay used two-factor authentication and encryption, which did protect users’ financial information).

There are the standard tips for consumers: change your passwords, don’t use the same password on multiple sites and watch out for phishing scams.

But a less-discussed nugget of information to emerge in coverage of the eBay breach is that hackers compromised its network in late February or early March, but the breach wasn’t uncovered until May. That “is a LOT of time for an attacker to be roaming around your network and systems,” Forrester analyst Tyler Shields told USA Today.

But eBay isn’t alone. A Verizon Data Breach Investigation Report says 66 percent of breaches took months or even years to discover. Why the delay? 1) Because it’s very difficult to monitor everything in a large and complex environment. 2) Cyber criminals benefit from being camouflaged as long as possible. DDoS attacks are usually just a distraction to cover real targets.

Cybercrime is not just a bored hacker with some aberrant happenstances getting the connections. It is a highly-organized, collaborative effort. According to Interpol, cybercrime has surpassed the total global sales of cocaine, heroin, and marijuana combined. It’s unimaginably lucrative and frustratingly difficult to police – particularly since cyber criminals don’t have the exposure of drug runners. They don’t grow anything or transport anything.

They’re also good at not leaving clues behind. Cybercrime is an invisible crime. There’s no trail of broken glass signaling a network break-in when you walk into your office on Monday morning.

In a 2012 Online Tech webinar titled “Healthcare Security Vulnerabilities,” security expert Adam Goslin of Total Compliance Tracking pointed out that breaches don’t just go unidentified for months … they more often are never discovered.

“The bottom line is there are organizations that get breached every day that don’t have any idea it has happened. The hacker is gaining access to the system — seriously, what better way to just continue to get a stream of data? You find a vulnerability that you exploit,” Goslin said.

“You get in there, you pull the data that you want, on your way out the door you go ahead and wipe off all the fingerprints and everything like that, and you walk away. Then, you come back another two months later, three months later, when there’s some more data and go do it again. There are many organizations just because of their lack of internal vigilance that don’t even know that they’ve been breached.”

There are reports that the government intends to question eBay about how hackers bypassed security to gain personal information from users, so we’ll learn more about this specific incident at that time. When data breach details become part of a court case or official inquiry, the reasons behind delayed detection become a matter of public record.

Thankfully we have attorney Tatiana Melnik, a frequent contributor to the Online Tech ‘Tuesdays at Two’ webinar series, who took a keen interest in a court case involving Wyndham Worldwide Corporation, which was arguing that the Federal Trade Commission couldn’t prosecute them for data breaches.

That case ended in an important decision that Melnik evaluated during a May 29 webinar session titled Is the FTC Coming After Your Company Next? (and is discussed further here and here).

However, it also shed some light on how a data breach can go months without being detected. Filings included issues the FTC highlighted as being problematic for Wyndham, which suffered three separate data breaches. Particularly, Wyndham did not have an inventory in place of computers and mobile devices from its chain of hotels and resorts that were connecting to its network. Nor did it have an intrusion detection system or intrusion response system in place.

Quoting Melnik, from her webinar:

Wyndham suffered three data breaches. The first one happened in April 2008. It was a brute force attack. It caused multiple user lockouts. I think we all know that when we start seeing all of the lockouts come up that there is definitely something going on in the system and we need to start investigating, because why would all of a sudden half the staff members be locked out and not able to get into their computers? This is where the issue of not having an adequate inventory comes in. Even though they were able to determine that the account lockout was coming from two computers on their network, they were not able to physically locate those computers. They didn’t know where they were. As a result, they didn’t find out that their network was compromised until four months later. That is a really, really long time to have some hacker from Russia in your network stealing all your data. That’s quite problematic.

The next attack happened in March 2009. This is where we’re reminded that you have to limit people’s access. This happened because someone gained access to the networks through a service provider’s administrator account in their Phoenix data center. This is again why somebody who is working at the data center level, do they need access to your PHI? Should they have access into that system? No, absolutely not. More problematically here, Wyndham didn’t find out until customers started complaining. They didn’t even know their systems were breached. They searched the network and they found the same malware that was used in attack No. 1. Think about it. Okay, well, you’ve been attacked. You were breached. Don’t you think that you would have some process in place to now gain your systems or at least the malware that was used the first time around so that if you see it again, you know that there’s something going on, something fishy there?

Then their final attack happened in late 2009, and again, they did not learn of their attacks from their internal processes and controls. They learned about the attack from a credit card issuer when they got a call saying, “Hey, listen, we are seeing a lot of frauds from credit cards that were used at your facility.” Certainly not the best way to find out that there is an incident.

In June 2013, respected cyber security blog Dark Reading published a comprehensive article titled ‘Why Are We So Slow to Detect Data Breaches?’ In it, author Ericka Chikowski writes that poor instrumenting of network sensors, bad security information and event management (SIEM) tuning, and a lack of communication within security teams allow breaches to fester.

Instrumenting: Analysts told Dark Reading that most network monitoring sensor infrastructure is poorly instrumented, defending the enterprise like a bank vault with one big door rather than protecting an entire city. Mike Lloyd of RedSeal Networks made three recommendations: 1) Map infrastructures to help place sensors. 2) Identify obvious weak points. 3) Start designing zones into the infrastructure so monitoring can be done more easily at zone boundaries.

SIEM tuning: Threat and vulnerability expert James Phillippe from Ernst & Young calls a well-tuned SIEM “the heart of a security operations center and enables alerting to be accurate and complete.” The tools that detect breaches are important, but how the people running those tools put them to use is critical.

Communication: Streamlining the collaboration between various security and operations team members proves to be a difficult task, Dark Reading writes: “Even with all of the right data residing within the organization as an aggregate, it is very easy to fail to put all of the puzzle pieces together due to a lack of coordination.” Jason Mical of AccessData says disparate teams using disparate tools causes “dangerous delays in validating suspected threats or responding to known threats.”


Download PCI Hosting White PaperRelated:
Encryption of Cloud Data white paper
Mobile Security white paper
Data breaches ending careers “right to the top” of C-suite


Resources:
Online Tech webinar: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices
Online Tech webinar: Healthcare Security Vulnerabilities
Dark Reading: Why are we so slow to detect data breaches?
USA Today: eBay urging users to change passwords after breach

After the recent eBay data breach in which more than 145 million user records were reportedly compromised by hackers, the internet is once again full of stories about consumers demanding better protection, analysts blaming organizations for not following basic cybersecurity protocol, and tales of hackers that are simply out-sophisticating sophisticated security (eBay used two-factor authentication and encryption, which did protect users’ financial information).

There are the standard tips for consumers: change your passwords, don’t use the same password on multiple sites and watch out for phishing scams.

But a less-discussed nugget of information to emerge in coverage of the eBay breach is that hackers compromised its network in late February or early March, but the breach wasn’t uncovered until May. That “is a LOT of time for an attacker to be roaming around your network and systems,” Forrester analyst Tyler Shields told USA Today.

But eBay isn’t alone. A Verizon Data Breach Investigation Report says 66 percent of breaches took months or even years to discover. Why the delay? 1) Because it’s very difficult to monitor everything in a large and complex environment. 2) Cyber criminals benefit from being camouflaged as long as possible. DDoS attacks are usually just a distraction to cover real targets.

Cybercrime is not just a bored hacker with some aberrant happenstances getting the connections. It is a highly-organized, collaborative effort. According to Interpol, cybercrime has surpassed the total global sales of cocaine, heroin, and marijuana combined. It’s unimaginably lucrative and frustratingly difficult to police – particularly since cyber criminals don’t have the exposure of drug runners. They don’t grow anything or transport anything.

They’re also good at not leaving clues behind. Cybercrime is an invisible crime. There’s no trail of broken glass signaling a network break-in when you walk into your office on Monday morning.

In a 2012 Online Tech webinar titled “Healthcare Security Vulnerabilities,” security expert Adam Goslin of Total Compliance Tracking pointed out that breaches don’t just go unidentified for months … they more often are never discovered.

“The bottom line is there are organizations that get breached every day that don’t have any idea it has happened. The hacker is gaining access to the system — seriously, what better way to just continue to get a stream of data? You find a vulnerability that you exploit,” Goslin said.

“You get in there, you pull the data that you want, on your way out the door you go ahead and wipe off all the fingerprints and everything like that, and you walk away. Then, you come back another two months later, three months later, when there’s some more data and go do it again. There are many organizations just because of their lack of internal vigilance that don’t even know that they’ve been breached.”

There are reports that the government intends to question eBay about how hackers bypassed security to gain personal information from users, so we’ll learn more about this specific incident at that time. When data breach details become part of a court case or official inquiry, the reasons behind delayed detection become a matter of public record.

Thankfully we have attorney Tatiana Melnik, a frequent contributor to the Online Tech ‘Tuesdays at Two’ webinar series, who took a keen interest in a court case involving Wyndham Worldwide Corporation, which was arguing that the Federal Trade Commission couldn’t prosecute them for data breaches.

That case ended in an important decision that Melnik evaluated during a May 29 webinar session titled Is the FTC Coming After Your Company Next? (and is discussed further here and here).

However, it also shed some light on how a data breach can go months without being detected. Filings included issues the FTC highlighted as being problematic for Wyndham, which suffered three separate data breaches. Particularly, Wyndham did not have an inventory in place of computers and mobile devices from its chain of hotels and resorts that were connecting to its network. Nor did it have an intrusion detection system or intrusion response system in place.

Quoting Melnik, from her webinar:

Wyndham suffered three data breaches. The first one happened in April 2008. It was a brute force attack. It caused multiple user lockouts. I think we all know that when we start seeing all of the lockouts come up that there is definitely something going on in the system and we need to start investigating, because why would all of a sudden half the staff members be locked out and not able to get into their computers? This is where the issue of not having an adequate inventory comes in. Even though they were able to determine that the account lockout was coming from two computers on their network, they were not able to physically locate those computers. They didn’t know where they were. As a result, they didn’t find out that their network was compromised until four months later. That is a really, really long time to have some hacker from Russia in your network stealing all your data. That’s quite problematic.

The next attack happened in March 2009. This is where we’re reminded that you have to limit people’s access. This happened because someone gained access to the networks through a service provider’s administrator account in their Phoenix data center. This is again why somebody who is working at the data center level, do they need access to your PHI? Should they have access into that system? No, absolutely not. More problematically here, Wyndham didn’t find out until customers started complaining. They didn’t even know their systems were breached. They searched the network and they found the same malware that was used in attack No. 1. Think about it. Okay, well, you’ve been attacked. You were breached. Don’t you think that you would have some process in place to now gain your systems or at least the malware that was used the first time around so that if you see it again, you know that there’s something going on, something fishy there?

Then their final attack happened in late 2009, and again, they did not learn of their attacks from their internal processes and controls. They learned about the attack from a credit card issuer when they got a call saying, “Hey, listen, we are seeing a lot of frauds from credit cards that were used at your facility.” Certainly not the best way to find out that there is an incident.

In June 2013, respected cyber security blog Dark Reading published a comprehensive article titled ‘Why Are We So Slow to Detect Data Breaches?’ In it, author Ericka Chikowski writes that poor instrumenting of network sensors, bad security information and event management (SIEM) tuning, and a lack of communication within security teams allow breaches to fester.

Instrumenting: Analysts told Dark Reading that most network monitoring sensor infrastructure is poorly instrumented, defending the enterprise like a bank vault with one big door rather than protecting an entire city. Mike Lloyd of RedSeal Networks made three recommendations: 1) Map infrastructures to help place sensors. 2) Identify obvious weak points. 3) Start designing zones into the infrastructure so monitoring can be done more easily at zone boundaries.

SIEM tuning: Threat and vulnerability expert James Phillippe from Ernst & Young calls a well-tuned SIEM “the heart of a security operations center and enables alerting to be accurate and complete.” The tools that detect breaches are important, but how the people running those tools put them to use is critical.

Communication: Streamlining the collaboration between various security and operations team members proves to be a difficult task, Dark Reading writes: “Even with all of the right data residing within the organization as an aggregate, it is very easy to fail to put all of the puzzle pieces together due to a lack of coordination.” Jason Mical of AccessData says disparate teams using disparate tools causes “dangerous delays in validating suspected threats or responding to known threats.”


Download PCI Hosting White PaperRelated:
Encryption of Cloud Data white paper
Mobile Security white paper
Data breaches ending careers “right to the top” of C-suite


Resources:
Online Tech webinar: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices
Online Tech webinar: Healthcare Security Vulnerabilities
Dark Reading: Why are we so slow to detect data breaches?
USA Today: eBay urging users to change passwords after breach

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved