This article was first published on IRMI.com and is reproduced with permission.
Copyright 2012, International Risk Management Institute, Inc
As breaches continue to occur and affected organizations determine whether and how to disclose these breaches, breaches and disclosure continue to be the subject of reports as well as media, legislative, and regulatory attention. See, for example, Melissa J. Krasnow, Securities and Exchange Commission Issues Guidance on Cybersecurity and Cyber Incident Disclosure (Dec. 2011).
by Melissa J. Krasnow
Partner, Dorsey & Whitney LLP
The 2011 Verizon Data Breach Investigations Report examined breaches that Verizon, the U.S. Secret Service, and the Dutch National High Tech Crime Unit investigated in 2010. This report classified and tallied the types of cyber threats that contributed to breaches. Hacking and malware were utilized in the majority of the breaches, at 50 percent and 49 percent, respectively. Social engineering was involved in 11 percent of the breaches. Many times, these three types of cyber threats from the report and related terms are used but not defined.
This article provides definitions of and statistics from the report about hacking, malware, and social engineering as well as the related terms pretexting, phishing, and spear phishing.
Hacking is a broad term that describes all attempts to intentionally access or harm information assets without or in excess of authorization by thwarting logical security mechanisms. The three methods of hacking utilized most commonly in hacking breaches were exploitation of back doors or command/control functionality, exploitation of default or guessable credentials, and brute force and dictionary attacks, at 73 percent, 67 percent, and 52 percent, respectively. With a back door installed, an attacker can bypass security mechanisms and obtain access without using legitimate channels. Regarding the other two methods, an attacker tries a few well-known combinations of default credentials used on various types of systems and, if necessary, then runs a brute force attack to crack the system.
Malware is short for malicious software and means any software or code developed or used for compromising or harming information assets without the owner’s informed consent. Malware enables or prolongs access, captures data, and/or furthers the attack. The most common means of infection for malware is installation or injection by a remote attacker, constituting 81 percent of malware infections. One example is an attacker breaching a system and then deploying malware or injecting code via SQL injection or other Web application input functionality. Web-based malware, the second most common means of infection, comprises code that is auto-executed (also known as drive-by downloads) and code that requires additional user interaction beyond the page visit (e.g., fake audiovisuals scaring users to “click here to scan and clean your infected system”).
Sending data to an external site/entity, back door, and keylogger/form-grabber/spyware were the three most common functions found in malware breaches, at 79 percent, 78 percent, and 66 percent, respectively. A back door allows an attacker unauthorized access to infected devices, and an attacker can install additional malware, use the device as a launch point for further attacks, or retrieve captured data. A keylogger allows an attacker to build a preconfigured remote installation package that will be deployed on a target system that can capture data from user activity.
When malware captures sensitive information, it must be taken out of the organization’s environment: Either the malware sends it out of the organization (in almost 8 out of 10 incidents involving malware) or the attacker reenters the network to retrieve it. The general rule is that smaller packets are sent out (i.e., credentials captured by keyloggers) while larger amounts of data are retrieved (i.e., the contents of a network file share transmitted through a back door’s file transfer capabilities).
In a social engineering attack, an attacker uses human interaction (i.e., social skills) to obtain or compromise information about an organization or its computer systems. Social engineering tactics include deception, manipulation, and intimidation to exploit the human element or users of information assets. An attacker may be able to put together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, the attacker may contact a source within the same organization and rely on the information from the first source to add to his or her credibility. Often, these actions are used together with other types of cyber threats and can be conducted through both technical and nontechnical means.
Solicitation and bribery were the most common type of social engineering tactic, used in 74 percent of social engineering breaches. Solicitation and bribery frequently entail collusion between an external agent and an insider. One party uses petitions, promises, and payments to get another to participate in the crime.
Pretexting was used in 44 percent of social engineering breaches. Pretexting is the practice of getting an individual’s personal information under false pretenses using a variety of tactics. The pretexter may be able to obtain personal information including a Social Security number, bank and credit card account numbers, information in a credit report, and the existence and size of savings and investment portfolios. However, some information about an individual may be a matter of public record, including whether they own a house, pay their real estate taxes, or have ever filed for bankruptcy. It is not pretexting for another person to collect this kind of information.
Counterfeiting and forgery were used in 16 percent of social engineering breaches and can involve everything from websites to documents (e.g., the use of fake credentials (driver’s licenses, birth certificates, etc.)).
Phishing attacks were used in 11 percent of social engineering breaches. Phishing attacks use e-mail or malicious websites to solicit personal information by posing as a trustworthy organization. For instance, an attacker may send e-mail appearing to be from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, an attacker can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, like charities. Attackers often take advantage of current events and certain times of the year, including: (1) natural disasters (e.g., Hurricane Katrina), (2) epidemics and health scares (e.g., H1N1), (3) economic concerns (e.g., Internal Revenue Service scams), (4) major political elections, and (5) holidays. Interestingly, phishing attacks are being used more often to gain a toehold in the victim’s environment through attached malware.
Spear phishing involves targeted e-mails that typically are used as a catalyst for individuals to click on hyperlinks or open attachments, allowing the downloading of malicious content to the user’s device and the unauthorized entry into an organization’s network. Business activities and products that could be leveraged by an attacker to develop targeted e-mails addressed to individuals within an organization include:
• media releases,
• business mergers and acquisitions,
• business reports/stock reports/financial statements,
• competing for contracts,
• awarded contracts,
• technological breakthroughs,
• international dealings,
• other public information of interest to malicious actors,
• natural disasters,
• referred to by other parties in their public release statements,
• government/industry events,
• government or industry work stoppages,
• and international or political events.