This article was first published on IRMI.com and is reproduced with permission.
Copyright 2012, International Risk Management Institute, Inc
As breaches continue to occur and affected organizations determine whether and how to disclose these breaches, breaches and disclosure continue to be the subject of reports as well as media, legislative, and regulatory attention. See, for example, Melissa J. Krasnow, Securities and Exchange Commission Issues Guidance on Cybersecurity and Cyber Incident Disclosure (Dec. 2011).
by Melissa J. Krasnow
Partner, Dorsey & Whitney LLP
The 2011 Verizon Data Breach Investigations Report examined breaches that Verizon, the U.S. Secret Service, and the Dutch National High Tech Crime Unit investigated in 2010. This report classified and tallied the types of cyber threats that contributed to breaches. Hacking and malware were utilized in the majority of the breaches, at 50 percent and 49 percent, respectively. Social engineering was involved in 11 percent of the breaches. Many times, these three types of cyber threats from the report and related terms are used but not defined.
This article provides definitions of and statistics from the report about hacking, malware, and social engineering as well as the related terms pretexting, phishing, and spear phishing.
Hacking
Hacking is a broad term that describes all attempts to intentionally access or harm information assets without or in excess of authorization by thwarting logical security mechanisms. The three methods of hacking utilized most commonly in hacking breaches were exploitation of back doors or command/control functionality, exploitation of default or guessable credentials, and brute force and dictionary attacks, at 73 percent, 67 percent, and 52 percent, respectively. With a back door installed, an attacker can bypass security mechanisms and obtain access without using legitimate channels. Regarding the other two methods, an attacker tries a few well-known combinations of default credentials used on various types of systems and, if necessary, then runs a brute force attack to crack the system.
Malware
Malware is short for malicious software and means any software or code developed or used for compromising or harming information assets without the owner’s informed consent. Malware enables or prolongs access, captures data, and/or furthers the attack. The most common means of infection for malware is installation or injection by a remote attacker, constituting 81 percent of malware infections. One example is an attacker breaching a system and then deploying malware or injecting code via SQL injection or other Web application input functionality. Web-based malware, the second most common means of infection, comprises code that is auto-executed (also known as drive-by downloads) and code that requires additional user interaction beyond the page visit (e.g., fake audiovisuals scaring users to “click here to scan and clean your infected system”).
Sending data to an external site/entity, back door, and keylogger/form-grabber/spyware were the three most common functions found in malware breaches, at 79 percent, 78 percent, and 66 percent, respectively. A back door allows an attacker unauthorized access to infected devices, and an attacker can install additional malware, use the device as a launch point for further attacks, or retrieve captured data. A keylogger allows an attacker to build a preconfigured remote installation package that will be deployed on a target system that can capture data from user activity.
When malware captures sensitive information, it must be taken out of the organization’s environment: Either the malware sends it out of the organization (in almost 8 out of 10 incidents involving malware) or the attacker reenters the network to retrieve it. The general rule is that smaller packets are sent out (i.e., credentials captured by keyloggers) while larger amounts of data are retrieved (i.e., the contents of a network file share transmitted through a back door’s file transfer capabilities).
Social Engineering
In a social engineering attack, an attacker uses human interaction (i.e., social skills) to obtain or compromise information about an organization or its computer systems. Social engineering tactics include deception, manipulation, and intimidation to exploit the human element or users of information assets. An attacker may be able to put together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, the attacker may contact a source within the same organization and rely on the information from the first source to add to his or her credibility. Often, these actions are used together with other types of cyber threats and can be conducted through both technical and nontechnical means.
Solicitation and bribery were the most common type of social engineering tactic, used in 74 percent of social engineering breaches. Solicitation and bribery frequently entail collusion between an external agent and an insider. One party uses petitions, promises, and payments to get another to participate in the crime.
Pretexting
Pretexting was used in 44 percent of social engineering breaches. Pretexting is the practice of getting an individual’s personal information under false pretenses using a variety of tactics. The pretexter may be able to obtain personal information including a Social Security number, bank and credit card account numbers, information in a credit report, and the existence and size of savings and investment portfolios. However, some information about an individual may be a matter of public record, including whether they own a house, pay their real estate taxes, or have ever filed for bankruptcy. It is not pretexting for another person to collect this kind of information.
Counterfeiting and forgery were used in 16 percent of social engineering breaches and can involve everything from websites to documents (e.g., the use of fake credentials (driver’s licenses, birth certificates, etc.)).
Phishing
Phishing attacks were used in 11 percent of social engineering breaches. Phishing attacks use e-mail or malicious websites to solicit personal information by posing as a trustworthy organization. For instance, an attacker may send e-mail appearing to be from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, an attacker can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, like charities. Attackers often take advantage of current events and certain times of the year, including: (1) natural disasters (e.g., Hurricane Katrina), (2) epidemics and health scares (e.g., H1N1), (3) economic concerns (e.g., Internal Revenue Service scams), (4) major political elections, and (5) holidays. Interestingly, phishing attacks are being used more often to gain a toehold in the victim’s environment through attached malware.
Spear Phishing
Spear phishing involves targeted e-mails that typically are used as a catalyst for individuals to click on hyperlinks or open attachments, allowing the downloading of malicious content to the user’s device and the unauthorized entry into an organization’s network. Business activities and products that could be leveraged by an attacker to develop targeted e-mails addressed to individuals within an organization include:
• media releases,
• business mergers and acquisitions,
• business reports/stock reports/financial statements,
• competing for contracts,
• awarded contracts,
• technological breakthroughs,
• international dealings,
• other public information of interest to malicious actors,
• natural disasters,
• referred to by other parties in their public release statements,
• government/industry events,
• government or industry work stoppages,
• and international or political events.
Pingback: Enterprise Efficiency - Ana Cantu - Dell Tech Weekly
Vista’s Not Immune Microsoft ralseeed updates yesterday that included a security fix to prevent attackers gaining control over your Vista computer. Read more in my article Windows Security Updates Fix Vista Issue, too
Im sure this has been asked many times but Is sex a sin?Ok I am christian. I have a few einstuoqs about what sex should be used for, please be mature about your answers.Should sex only be used when you are trying to have a child?Is it a sin to have sex for the enjoyment, while preventing pregnancy?Is any type of birth control (condoms, the pill, etc ) a sin?Is oral or anal sex supposed to be performed at all?How bad of a sin is it to have sex before marriage?Would God want someone to have an abortion if the child was going to be the result of a rape?What kind of sex is a sin?Does God still love a child that is born out of marriage?And any other info that you have?I just want to know to become a better christian so to speak and just for my own personal knowledge. I am not pregnant nor have i ever been. I am 18 and female lol, i do not plan on becoming pregnant until after i am married. Please, i just want some answers i am not trying to be gross or immaturePlease be as open as you would like! I would like to hear any answers! Even answers about homosexuality, i am not against it!
Are their contraceptives for Oral sex for both male and flmaee?There’s been some recent news going around there’s been a rise in cancer related illnesses due to HPV which you can get from Oral sex.Ironically before i heard about this my friend had recently participated in Oral naughtiness,and when i told her we she was shocked that this news was going around and They aren’t telling young women,since HPV targets ages (14-18).And then she told me that she had a dream about me doing the exact same thing to some Asian guy,lol.You might be asking why this is relevant.It’s relevant because we’re both at a point in our lives where we don’t think boys are icky anymore,we’ve had boyfriends,we talk about sex,we can’t escape the fact that when we get into our teens we become sexually active,but i feel like we should at least practice being safe if we’re going to grow sexually active.So,are there any good contraceptives out there for Oral for both man and flmaee genitals?if so what are they besides condoms? because i don’t think their made for that.And please try to be mature about this,and don’t try to say we’re too young or bull like that,because what we do is our business,thank you. =)
“I can only hope people flock away from Orange in dorves. Orange may get a few quid extra now, but it’s goodbye forever from me! Don’t forget, ‘material detriment’ is for you and your circumstances to determine, not for Orange.” From: Ofcom are not going to investigate Orange’s price rise
there must be something wrong with me. Every thing from who she was with to how they did it, what they did, if it was good, where it was, one nrtigehs, orgasms, positions, names, whether she’d do it again if single regrets. Why does this interest me now? Am I a sick puppy. It’s actually been kind of a relief to hear. Even found out that she made out with a freind of mine in college right after we started dating. She told me about it when it happended, but she made it sound rather innocent at the time. But it turns out it was a free for all including all but penetration. I gotta say, I don’t feel too bad about it. After all these years of harboring bad feelings about what she MAYBE did, I know exactly everything she has done. I get the feeling she may be holding back some info such as, number of partners, condom usage, oral sex frequency, stuff she really doesn’t want to admit too. You know ,the same thing everyone says all females hold back about. But for the most part, she seems to be being brutally honest. Is this strange of me to wanna hear this? Would you wanna? Would you tell if asked?