Unplug Everything!

Just kidding…partially.  Have you seen the latest 2011 Verizon Data Breach Investigations Report?  It is chock full of data about breaches, vulnerabilities, industry demographics, threats and all the other internet security terms that make the headlines.  It is an interesting view into cybercrime and like last year, there is also information and analysis from the US Secret Service, who arrested more than 1200 cybercrime suspects in 2010.  One very interesting note from the Executive Summary is that while the total number of records compromised has steadily gone down – ‘08: 361 million, ‘09: 144 million, ‘10: 4 million – the case loads for cybercrime is at an all time high – 141 breaches in 2009 to a whopping 760 in 2010.  One reason may be is that the criminals themselves are doing the time-honored ‘risk vs. reward’ scenario when determining their bounty.  Hey, just like the security pros!  Oh yeah….the crooks are pros too.  Rather than going after the huge financial institutions in one fell swoop or mega-breach, they are attempting many more low risk type intrusions against restaurants, hotels and smaller retailers.  Hospitality is back on the top of the list this year, followed by retail.  Financial services round out pole position, but as noted, the criminals will always have their eye on our money.  Riff-raff also focused more on grabbing intellectual property rather than credit card numbers.

The Highlights:

• The majority of breaches, 96%, were avoidable through simple or intermediate controls; if only someone decided to prevent them. 
• 89% of companies breached are still not PCI compliant today, let alone when they were breached. 
• External attacks exploded in 2010, and now account for the vast majority at 92% and over 99% of the lost records. 
• 83% of victims were targets of opportunity.  Most attacks are opportunistic, with criminal rings relying on automation to discover susceptible systems for them. 
• Most breaches aren’t discovered for weeks to months, and most breaches, 86%, are discovered by third-parties, not internal security teams.
• Malware and ‘hacking’ are the top two threat actions by percentage of breaches, 50%/49% respectively, along with tops in percentage of records 89%/79%.  Misuse, a strong contender last year, went down in 2010.
• Within malware, sending data to an external source, installing backdoors and key logger functions were the most common types and all increased in 2010.
• 92% of the attacks were not that difficult.

You may ask, ‘what about mobile devices?’ since those are a often touted avenue of data loss.  The Data Breach Report says that data loss from mobile devices are rarely part of their case load since they typically investigate deliberate breaches and compromises rather than accidental data loss.  Plus, they focus on confirmed incidents of data compromise.  Another question might have to do with Cloud Computing breaches.  Here they answer, ‘No, not really,’ to question of whether the cloud factors into the breaches they investigate.  They say that it is more about giving up control of the systems and the associated risk than any cloud technology. 

Now comes word that subscribers of Sony’s PlayStation Network have had their personal information stolen.  I wonder how this, and the other high profile attacks this year will alter the Data Breach Report next year.  I’ve written about this type of exposure and felt it was only a matter of time before something like this occurred.  Gamers are frantic about this latest intrusion but if you are connected to the internet in any way shape or form, there are risks involved.  We used to joke years ago that the only way to be safe from attacks was to unplug the computers from the net.  With the way things are going, the punch line is not so funny anymore.

ps

Resources:

• 2011 Verizon Data Breach Investigations Report
• Verizon data breach report 2011: Hackers target more, smaller victims
• Data Attacks Increase 81.5% in 2010
• Verizon study: data breaches quintupled in 2010
• Sony comes clean: PlayStation Network user data was stolen
• X marks the Games
• Microsoft issues phishing alert for Xbox Live
• Today's Target: Corporate Secrets
• The Big Attacks are Back…Not That They Ever Stopped
• Sony PlayStation Network Security Breach: Credit Card Data At Risk
• Breach Complicates Sony's Network Ambitions‎
• Everything You Need to Know About Sony's PlayStation Network Fiasco‎ ‎

Technorati Tags: F5, data breach report, threats, Pete Silva, security, malware, technology, Verizon, cyber-threat, social engineering, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach, psn, Sony, PlayStation

Connect with Peter:	Connect with F5:

‎

X marks the Games

Sony Playstation Celebrates Its 15th Anniversary, Happy 20th birthday, Game Boy, Happy 10th anniversary, Sega Dreamcast! and November Marks the Launch Anniversary of Many a Gaming Platform.  Gaming has come a long way since the Atari 2600 and the Fairchild Channel F when we would screw those little U connectors to the UHF/VHF thingy.  Then we got ColecoVision’s arcade quality games like Donkey Kong and the early Nintendo’s and Sega’s to today’s Sony PlayStation, Microsoft Xbox (there’s your 24th letter) and Nintendo Wii.  These days, not only can you hook you console up to your TV monitor, you can connect to the internet and play games online, even without a console.  While gaming threats & breaches don’t always make the splashy headlines like stolen credit cards and hacked financial applications, there is still plenty of things to worry about while you’re having fun.  Whether you’re a player or provider, the risks are out there and many (both technical & social) are no different than the exploits, malware and thieves we typically hear about from general online communities. 

Over the last couple years, a number online gaming sites experienced DDoS attacks that forced outages and tossed some sites offline and even Pirate Bay got hit with a DDoS attack when their users were not happy about the sale to Global Gaming Factory.  Even back in 2004, there were articles that covered the Security Issues of Online Gaming and a few of those mentioned still hold today.

For users, the risks loom since they spend a lot of time and money on these games and there are always crooks out there looking to exploit that.  There is also significant amount of social interaction with other players and many of the social media threats, like being tricked into exposing personal or financial information, are just a prevalent.  And it’s not just hidden criminals.  Full on media companies offering rewards, points or other game enhancements trick users into signing up for bogus offers and monthly subscriptions all while capturing their email address, credit card and other personal info.  This is quick money for game developers (and social sites, advertisers and others) even if it is done in an unscrupulous way.

Malware infection whether it be worms, viruses or bots are also a risk.  Most of us have learned that we should not click on an embedded email link for fear of computer infection.  But do you use the same technique when searching for a new/hidden game file or conversing with another player over IM?  They might have been part of your online ‘team’ for some time and you’ve exchanged tips.  Then they promote some cool new ‘add-on’ and send you an IM saying, ‘download this hidden gem – earn points faster!!’  Would you use the same caution as a phishing email or click away?  If the game required administrative rights for installation, would you grant it?  Would you allow all JavaScript and ActiveX to run, knowing the inherent browser risks?  Also, since you’re playing online, you have to be connected to a server somewhere.  Is that server vulnerable?  Has it been compromised?  If it has, then you too can be vulnerable – it’s really no different than other server exploits.  This applies to game operators also.  How are you protecting your infrastructure from malicious behavior?

This document (pdf) from US-CERT has a nice overview of avoiding online gaming risks, was an inspiration for this blog post and offers several protective measures….which look a lot like the general security good practices we hear on a daily basis:

• Use antivirus and antispyware programs.
• Be cautious about opening files attached to email messages or instant messages.
• Verify the authenticity and security of downloaded files and new software.
• Configure your web browsers securely.
• Use a firewall.
• Identify and back up your personal or financial data.
• Create and use strong passwords.
• Patch and update your application software.

Not to dampen any of your fun this year as many of us rip open new gaming consoles, connect them to the internet and start firing away, just use the same caution, suspicion and protection when you enter that fun zone.  Don’t let your guard down just because you’re having a great time – that holiday glee can morph into your winter of discontent with a single click.
ps

• #24 out of 26 Short Topics about Security
• previous stories: 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related resources:

• Layer 4 vs Layer 7 DoS Attack
• ASM Layer 7 DoS And Brute Force Protection
• An Unhackable Server is Still Vulnerable
• Scamville: The Social Gaming Ecosystem Of Hell