Digital Transactions Authoritative, insightful and timely information for payments professionals
Hackers continue to improve malware, third-party vendors continue to serve their clients poorly when it comes to data security, and the evidence points to Russia as the single biggest source of attacks on databases. Those are some of the highlights in the new Global Security Report 2011 from Trustwave Holdings Inc., a big security-technology firm.
The report is based on more than 200 data-breach investigations and 2,300 penetration tests Chicago-based Trustwave conducted in 2010. Payment card data again were by far the most sought-after assets desired by hackers, attacked in 85% of Trustwave’s cases. Sensitive company data were next at 8%, followed by trade secrets at 3%.
Criminals used so-called malicious software to harvest, or aggregate, data in 76% of Trustwave’s investigations last year, a 23% increase from 2009. They also used malware in 44% of cases to exfiltrate, or remove, data from targeted computer systems. “We did see an increase in the use of malware,” Nicholas J. Percoco, senior vice president and head of Trustwave’s SpiderLabs investigative unit, tells Digital Transactions News.
There’s more bad news: The malware is getting more sophisticated. The new breed of malware is virtually undetectable by current anti-virus software, according to Trustwave.
But technology is only part of the security story. Many of the lapses Trustwave found point squarely toward human error or indifference, especially on the part of third-party systems resellers and technology vendors that serve card-accepting merchants. Trustwave’s report for 2009 noted that problem, and not much has changed over the past year. Third parties were responsible for system administration in 88% of Trustwave’s 2010 investigations.
Frequently outside vendors, when setting up and operating computer systems and networks for merchants, take shortcuts such as leaving in default passwords or failing to activate firewalls, according to Percoco. Such shortcuts often go undetected by technologically unsophisticated merchants glad to have expert help.
For example, point-of-sale software, which often contains card data, was attacked in 75% of the incidents Trustwave investigated. Percoco estimates that about three-fourths of such applications were compliant with the Payment Application Data-Security Standard (PA-DSS), the card networks’ common set of rules for card-processing software, but they nonetheless were vulnerable to compromise because of human error. “What we find was the systems were not installed or configured correctly,” he says.
The networks’ main security standard, the Payment Card Industry data-security standard, or PCI, has 12 major sections with more than 200 detailed rules. In three sections involving more emphasis on human activity than technology (monitoring network access, regularly testing security, and maintaining an internal security policy), 95% or more of breached entities failed to meet the requirements. And almost 98% failed to maintain a firewall, another major PCI requirement.
Other highlights:
–Food and beverage merchants accounted for 57% of breached entities followed by retailers at 18%, hospitality merchants at 10%, and government and financial companies, each with 6%. Hospitality was the leader in 2009, but Trustwave noted that a major organized crime group that earlier targeted mainly hotels expanded its focus to restaurants in 2010. This ring may have been involved in 36% of the breaches Trustwave investigated.
–For the first time, Trustwave broke out its incident report by geography. The Russian Federation came in first as the origin of 32% of the attacks investigated. Unknown locations were second, 24%, followed by Venezuela, 7%; the U.S., 6%, Canada and Indonesia, 4% each, and Germany, 3%. Percoco cautions, however, that the Internet Protocol (IP) addresses used to geo-locate a computer can be masked and do not always correctly indicate a hacker’s location.
–Some 60% of breaches Trustwave investigated were found through so-called regulatory detection such as an annual PCI audit. Breached entities discovered 20% of compromises, while the public reported 13% and law enforcement 7%. The average time between the start of the breach and discovery was 156.5 days in cases of regulatory detection, and 87.5, 51.5, and 28 days in cases of public, law-enforcement, and self detection, respectively.
–Data in transit were harvested in 66% of Trustwave’s breaches compared with 26.5% for stored data and 7.5% for hybrid harvesting methods. Remote-access application was the method of entry in 55% of cases investigated.
