Data breaches from nowhere - most compromises still being discovered by third parties

Trustwave analysis of 574 incidents finds that victims are often the last to know


The majority of data breaches are still being detected by sources outside the affected organisations, security firm Trustwave has reported in its annual report on the topic. Most victims took around three months to uncover incidents.

Altogether, Trustwave investigated 574 breaches among its customer base in during 2014. Although 15 countries were represented, the firm’s business orientation towards certain countries probably explains why half of those incidents were in the US, followed by Australia with 24 percent and the UK with 15 percent although it is also possible that these are more heavily targeted.

In fact, the number of incidents was down on 2013, when it detected 691, with the US experiencing an optimistic 9 percent drop in breaches year-on-year. Most of the breaches, 43 percent, were in retail, followed by food and beverage on 13 percent and hospitality on 12 percent.

What is still striking is the way organisations discover breaches, and how long they take to fix, and how long it takes to identify the root causes so that they don’t recur.

In 2014, only 19 percent of breaches were self-detected, with 58 percent of incidents reported to victim organisations by regulatory bodies, card companies and banks. Law enforcement reported another 12 percent, with a variety of miscellaneous third parties covering 7 percent.

Only 4 percent were reported by consumers who are otherwise the last in the chain of victims to know something has gone wrong.

The average time between breach and discovery was 188 days although Trustwave said it preferred to use the median of 86 days because it excluded outliers and was more typical. The number of days it took most companies to fix a breach after it had been discovered was a median of seven.

The sting in the tail of this report are the underlying weaknesses that made many of incidents possible, with two areas – weak passwords and poorly-secure remote access – jumping out from Trustwave’s figures and graphs.

Weak remote access of the sort implicated in huge incidents such as the Target breach were connected to 28 percent of incidents with poor passwords accounting for another 28 percent. Other causes were unpatched software flaws with 15 percent, misconfigurations (for example on e-commerce servers) on 8 percent and malicious insiders on 6 percent.

The fact that flaws and insiders were only behind a combined total of 14 percent of incidents is interesting given the importance these have been given by many security vendors of late.  On the basis of Trustwave’s customer base, remote access and password policies are the more important areas to look at.

Application design issues such as weak validation (leading to SQL injection attacks for instance) lay behind 15 percent of incidents, another area that isn’t always given huge attention.

Remarkably, the most common password was still ‘password1’, which is to say that defaults had not been reset in many systems, particularly those connected to point-of-sale terminals. Even so, 39 percent of passwords were only eight characters long, which Trustwave said its researchers could crack in one day.

Adding only two more characters would extend this to 591 days, which means that many breach victims could greatly improve their security without having to do anything more complex than ask admins to hit an additional two keys.

“To defend against today’s sophisticated criminals, businesses must see attacks from their front windshield instead of their rear view mirror,” commented Trustwave CEO, Robert J. McCullen.

“By providing a wealth of current, actionable data breach trends and threat intelligence, our 2015 Global Security Report helps businesses identify what’s coming so that they can engage the people, processes and technologies needed to thwart cybercrime attacks,” he said.

One issue with this report, as with almost every breach study, is that it offers insight into the past not the present. This report looks at incidents, some of which were discovered up to 18 months ago and might have been initiated in 2013.

However, what is clear is that organisations in some sectors are not taking basic precautions, starting with securing obvious software flaws, testing web servers of application vulnerabilities, designing password and remote access security into their policies and using encryption across all data. They are, in short, making life far too easy for the attackers.

Beyond that, they lack enough ways to detect that a breach has occurred even if many seem to clear up the mess within a matter of days. But without better front-of-shop security, organisations could be doomed to repeat the same mistakes over and over as they run up big bills for the forensics – including from firms such as Trustwave - needed to root out criminals from their networks.

The most comprehensive data breach report remains Verizon's long-running annual Data Breach Investigations Report (DBIR), which in April suggested the interesting possibility that while breaches remain a major issue their considerable cost has also sometimes been exaggerated.

"Recommended For You"

Data breaches 2016 - Verizon names simple failings that lead to data loss Attackers exploited ColdFusion vulnerability to install Microsoft IIS malware