Anatomy of a Data Breach

In 2007 and 2008 the industry has seen an upsurge in data breaches affecting millions of consumers and causing corporations to pay heavily in fines.

Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised. According to the Identity Theft Resource Center a total of 336 breaches have been reported in 2008 alone, putting the overall number at 69% greater then this time last year . This is a concern for security teams especially given the fact that a lack of dedicated resources exist to combat and revert this trend.

This is significantly important to take into consideration when going through the formal audit process to certify adherence to Sarbanes-Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or Health Insurance and Portability and Accountability Act (HIPAA).

With the significant increase in data exposure corporations can’t afford to take short-cuts when it comes to information assurance. Otherwise it is almost certain that one will become a victim of a serious exposure of sensitive information.

Data breaches can lead to exposure of consumer information through a number of different ways that vary in complexity. The common perception associated with a data breach is the difference between data being extracted from physical assets stolen and actual breaches in perimeter security (electronic).

While there is certainly a number of cases in which stolen assets account for the breach at hand, however; we are seeing a number of electronic breaches that have accounted for some of the most famous incidents of 2007 and 2008.

- TJ Maxx
- Monster.com
- Hannaford Bros

In fact the financial community has experienced twice the many incidents in 2008 then all of 2007 according to a study conducted by the Identity Theft Resource Center (ITRC). These incidents go hand in hand with regulatory laws that were supposedly designed to mitigate and reduce the risk window in an attempt to avoid such embarrassing situations.

Take for example an organization that has been PCI compliant for years, but suffered a data breach that involved hackers placing targeted malware on credit card processing servers at a major retailer. The question the security team has to ask themselves "Why didn't my current anti-virus solution detect the threat"? I have an interesting hypothesis on this subject that can be found in the article "Regulatory Compliance and the Real Risk of Undetected Malware."

In 2008 implementing measures to protect against data breaches will be critical to the survival of any corporation in the long term. It's not a matter of if you will be breached, but a matter of when, therefore; it's important that the primary goal is to significantly reduce the acceptable loss and mitigate the window of risk.

Determining if you have been breached is somewhat difficult as the intruders have likely covered their initial entry by hiding any physical traces (deleting or hiding audit logs, etc). Therefore, your best approach is to adopt a strategy for detecting and mitigating the effects of a breach such as:

- Database monitoring: Technologies exist to monitor SQL and Oracle databases for suspicious activity (access from unauthorized users, insertion of scripts, execution of SQL statements, etc). Monitoring is only part of the equation to detecting an actual breach in progress. If hackers subsequently decide to access cardholder information stored in your databases in addition to extracting the data in real-time; database monitoring will increase the odds of discovering unauthorized access.

- Network Intrusion Detection: Intrusion detection technologies in addition to other methods can be used to detect anomalous traffic and behavior that might be associated with an attack.

- Hardening critical assets: You can minimize your exposure & risk by hardening critical assets; in other words you are removing non essential functionality such as services, applications and ports that not only adds to the complexity, but introduces additional risk.

Ryan Sherstobitoff,
Chief Corporate Evangelist
Panda Security, US
http://pandasecurityus.wordpress.com