Data breach? Blame your third party's remote access systems

Three-quarters of the time, shoddy security with vendor's remote-access and VPN to blame for data breach, Trustwave study finds

An in-depth study of data-breach problems last year where hackers infiltrated 312 businesses to grab gobs of mainly customer payment-card information found the primary way they got in was through third-party vendor remote-access applications or VPN for systems maintenance.

"The majority of our analysis of data-breach investigations -- 76% -- revealed that the third-party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers," the Trustwave report published today states. The vast majority of the 312 companies suffering the payment-card breach were retailers, restaurants or hotels and they came to Trustwave for incident response help because Visa, MasterCard or another payment-card organization had traced a batch of stolen card cards to their businesses, demanding a forensics investigation within a matter of days.

MORE SECURITY: Hot authentication tools

In fact, only 16% of the 312 companies managed to detect the payment-card data breach on their own, says Nicholas Percoco, senior vice president at Trustwave and head of its SpiderLabs division. Most of the time, sophisticated analysis by the payment-card organizations of a large volume of fraud reports from customers about unauthorized credit-card use was the trigger for the call from Visa or MasterCard to investigate a suspected breach.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Page 2 of 2

And in a case from Europe last year in which a payment service provider was hacked and multiple servers and a wide-area network of more than 1,000 hosts were attacked, Trustwave says it identified the "single point of weakness as a legacy X.25 node."

The X.25 protocol, which was widely used in the 1980s to build wide-area networks, still finds use today with financial institutions for inter-bank data exchange, the report states. The attacker in this case "identified an internal development system and proceeded to re-write a well-known rootkit on the HP-UX operating system. The rootkit was then installed across a number of cardholder data processing servers to mask the presence of other malicious programs introduced by the attacker."

Trustwave says the "malicious scripts harvested cardholder data by terminating the legitimate instances of payment-processing software and then restarting the software with a Trojanized-debugger attached. The debugger captured all inter-process communications including unencrypted payment card data from within the system memory, which was otherwise encrypted when at rest on the disk and in transit on the network."

This attack went on from almost 18 months and the "attacker was only identified when a subtle flaw within their own customized malware alerted the payment service provider's operational staff to suspicious activity."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about security in Network World's Security section.