Trustwave’s Threat Intelligence Manager Karl Sigler

In light of the recent string of high profile data breaches, information security is quickly becoming a front burner issue. According to a recent Trustwave survey of more than 800 IT professionals worldwide, 58 percent expect to be under more pressure to secure their organizations in 2014 than they were last year.

Understanding how attackers choose and penetrate their targets is useful for developing security strategies.  To do this you must either think like a hacker or have a history of investigating thousands of data breaches to understand common attack methods and the underground criminal world.

In a 2014 report released by our experts, the retail industry topped the list of most targeted businesses, followed by the food & beverage industry and hospitality. Almost all of these businesses accept payment card information, which criminals know they can sell on the black market for a lucrative profit. After all, at the end of the day, cybercriminals are businessmen. Criminals also know that for most of these businesses, cybersecurity is not their core competency which makes them especially attractive targets.

Once criminals select the business they want to target, they conduct extensive research. Through publically available information, resourceful criminals can learn things like the business’s address, names and contact information of employees, the parcel provider the business prefers, the names of catering and laundering services and much more. If the chosen victim is extremely lucrative, or if the attacker has a personal vendetta against that business, there is no limit to the time and energy he or she will expend to gather this information.

To get in, criminals typically use automated tools that search thousands of IP addresses looking for specific markers.  They then use other tools to connect to the businesses’ internal systems the same way a legitimate employee would: with a username and password.

Unfortunately, many employees use weak, easily guessable or even default passwords for administrative accounts.  According to the same report, weak passwords opened the door for the initial intrusion in 31 percent of compromises we investigated in 2013. The attackers test a variety of commonly used passwords until one works and they gain administrative access.

Part of the problem and building effective security controls is that IT teams are frequently stovepiped. There are application, server, infrastructure and desktop groups who often have little or no security expertise. If there is a security group, it’s usually off to the side and is typically one of the last teams to see a project before it is rolled out.

This kind of segmentation needs to change. The security group needs to be a top priority. If resources are lacking, they should consider partnering with a third party team of security experts whose sole responsibility is to install, monitor, fine-tune  and manage security controls and services.

Given the reputational damage of large security breaches, it’s also time to make security a board-level issue. Believe me, management is paying attention. Our 2014 Security Pressures Report found that half of the respondents said they’re feeling the most security-related pressure from their organization’s owners, board, or C-level executives. That’s good, but there’s still room for improvement.

In our own experience working with businesses over the past 12-18 months, we’ve noticed a shift in attitude among business leaders. Whereas they previously asked, “Are we secure?” now they’re asking “How are we secure? Show me.” This deeper probing demonstrates that businesses are on the right track.

Data security is the cost of doing business in the digital age.  There are only three types of organizations – those that have been breached, those that are being breached and don’t know it, and those that are about to be breached.  Which one are you?

 .

About the Author

 . 

Karl Sigler

Karl is a Threat Intelligence Manager at Trustwave where he is responsible for identifying, researching and analyzing security vulnerabilities as well as malware-related attacks and other trending threats. Before joining Trustwave in 2013, Karl worked as the head of the IBM X-Force Education group for 12 years and has presented on topics like intrusion analysis and penetration testing to audiences in more than 30 countries.

photo credit: Nick Kenrick. via photopin cc