Archive for October, 2011

Verizon 2011 Data Breach Investigation Report – breaches down, or are they?

Monday, October 17th, 2011

The 2011 Data Breach Investigation Report (DBIR) from Verizon (http://bit.ly/pt5xV9 ) now incorporates data from the United States Secret Service and the Dutch National High Tech Crime Unit as well as Verizon’s own data.  It is a comprehensive report, extensively covering data breach activity in 2010, and it draws some interesting, and sometimes almost contradictory, conclusions.

2008 saw a record number of 361 million records compromised, 2009 saw a reduction to 144 million, and in 2010 that number dropped to 4 million.  Hang on, 144 million -> 4 million?  As the report says, that’s almost a rounding error!  Not to say that 4 million records compromised is good, that’s still 4 million more than we’d ideally have to deal with, but it’s a pretty radical reduction.  So, one question might be “Why?”.  As it turns out, the main reason is that, for some reason, 2010 had virtually no “mega” attacks, which typically bump the numbers up by a million or more.  But let’s continue to look…

In actual fact, now that we are more than 9 months through this year, we know enough to determine whether 2010 was part of a long term trend of data breach reduction, or an anomaly.  And with Sony, Espilon, RSA and Citi breaches already behind us in 2011, the unfortunate news is that the numbers this year are likely to be back up.  In fact, numerous industry observers are now saying that 2011 is likely to be the worst year on record, in terms of number of records compromised.

So perhaps a better idea is to look at the trends indicated by the Verizon report, along with the knowledge of the 2011 breaches, to identify what we could and should be doing better.

One of the interesting facts from the Verizon report is that, even though total number of records compromised was (WAY) down, the actual number of breaches was up (761 in 2010, versus a total from 2004-2009 of 900).  This is partly due to the inclusion of the Dutch data, but it also shows that cybercriminals are now willing to perform their exploits for smaller returns, which itself is a little worrying.

Another interesting statistic – 83% of all attacks were opportunistic, meaning the victim was identified because they exhibited a weakness or vulnerability that the attacker could exploit.  Often these were due to POS and other systems being installed with default user information, which became known within the criminal community.  Put another way, closing down these relatively simple (and obvious) loopholes could drastically reduce the occurrence of data breaches.

The other 17% of attacks were targeted, meaning that the victim was first chosen as the target, then a method of exploitation was determined.  Unfortunately, but not surprisingly, the financial industry was most represented in the ranks of the targeted attack victims.

Following on from the targeted attack point, 96% of all records compromised were card numbers and/or card data, a truly worrying figure.

So, what can we learn from this?

We know from the number of attacks in the first half of this year that cybercrime is not decreasing.  Both the number of attacks, and the cost of those attacks, continues to rise.  Cybercriminals utilise opportunistic attacks for relatively small gains in many cases, and targeted attacks on financial institutions.  Card numbers continue to be stolen, in large volumes.

It remains critical to protect sensitive data, both at rest, and in transit.

  • Use SSL and file encryption solutions when possible.
  • Ensure that the platforms/applications receiving the sensitive data also protect it.
  • Get to know the security administrators on those platforms and ask them to do the same with the applications/platforms they share data with.

Remove as many areas of opportunistic attack as possible:

  • Don’t use default userids and passwords.
  • Put granular access control and auditing in place.
  • Feed your audit data (from all platforms and applications) into a SIEM device to get an enterprise-wide view of your security events.

XYPRO’s XYGATE security suite can address all these areas, and more.  For more information on how XYGATE can help secure your HP NonStop platform, applications and data, please see our website www.xypro.com, or email me at andrew_p@xypro.com

Andrew Price
XYPRO Technology Corporation
www.xypro.com

XYPRO Employees PCI ISA Certified

Monday, October 17th, 2011

We are pleased and proud to announce that several of our own have passed the new PCI ISA Exam! The PCI SSC Internal Security Assessor Program (ISA) provides an opportunity for eligible internal security assessors at qualifying organizations to receive PCI DSS training and certification. The training improves participating organization’s understanding of the PCI DSS, helps facilitate interactions with QSAs, enhances the quality, reliability, and consistency of internal PCI DSS self-assessments, and supports the consistent and proper application of PCI DSS measures and controls.

The PCI Data Security Standard (PCI DSS) is a worldwide information security standard that ensures that any organization that processes card payments adheres to security processes and procedures that protect cardholder data and reduce credit card fraud. However, since the standards apply to a diverse array of service providers and merchants, the PCI DSS rules are stated as simply as possible, without specific details of how the goal of the standard is to be achieved. As a result, there are several gaps to achieving compliancy on the HP NonStop server. Simply put, there are PCI requirements that cannot be met without the use of third party security products. Specifically, XYGATE.

At XYPRO, we provide highly regarded Security Review and Configuration Services, as well as assisting with a “Fast Track” implementations of XYGATE software for compliance.  In addition, we provide several education and training services including those geared to help QSA’s and Security Auditors in their understanding and evaluation of PCI DSS in HP NonStop environments.

We are committed to understanding PCI requirements as well as validating and maintaining ongoing compliance with PCI standards. This recent achievement underscores our commitment to be the best certified NonStop security vendor in the market.  Contact us now at barry_f@xypro.com for a PCI compliance consultation.

Barry Forbes
VP of Sales & Marketing
XYPRO Technology Corporation