Posts Tagged: Bryan Sartin


28
Feb 14

Breach Blind Spot Puts Retailers on Defensive

In response to rumors in the financial industry that Sears may be the latest retailer hit by hackers, the company said today it has no indications that it has been breached. Although the Sears investigation is ongoing, experts say there is a good chance the identification of Sears as a victim is a false alarm caused by a common weaknesses in banks’ anti-fraud systems that becomes apparent mainly in the wake of massive breaches like the one at Target late last year.

Earlier this week, rumors began flying that Sears was breached by the same sort of attack that hit Target. In December, Target disclosed that malware installed on its store cash registers compromised credit and debit card data on 40 some million transactions. This publication reached out on Wednesday to Sears to check the validity of those rumors, and earlier today Bloomberg moved a brief story saying that the U.S. Secret Service was said to be investigating a possible data breach at Sears.

But in a short statement issued today, Sears said the company has found no information indicating a breach at the company.

“There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” Sears said in a written statement. “We have found no information based on our review of our systems to date indicating a breach.”

The Secret Service declined to comment.

Media stories about undisclosed breaches in the retail sector have fueled rampant speculation about the identities of other victim companies. Earlier this week, The Wall Street Journal ran a piece quoting Verizon Enterprise Solutions’s Bryan Sartin saying that the company — which investigates data breaches — was responding to two different currently undisclosed breaches at major retailers.

Interestingly, Sartin gave an interview last week to this publication specifically to discuss a potential blind spot in the approach used by most banks to identify companies that may have had a payment card breach — a weakness that he said almost exclusively manifests itself directly after large breaches like the Target break-in.

Continue reading →


19
Apr 11

Are Megabreaches Out? E-Thefts Downsized in 2010

The number of financial and confidential records compromised as a result of data breaches in 2010 fell dramatically compared to previous years, a decrease that cybercrime investigators attribute to a sea-change in the motives and tactics used by criminals to steal information. At the same time, organizations of all sizes are dealing with more frequent  and smaller breaches than ever before, and most data thefts continue to result from security weaknesses that are relatively unsophisticated and easy to prevent.

These are some of the conclusions drawn from Verizon‘s fourth annual Data Breach Investigations Report. The report measures data breaches based on compromised records, including the theft of Social Security numbers, intellectual property, and credit card numbers, among other things.

It’s important to note at the outset that Verizon’s report only measures loss in terms of records breached. Many businesses hit by cyber crooks last year lost hundreds of thousands of dollars apiece when thieves stole one set of records, such as their online banking credentials.

The data-rich 74-page study is based on information gleaned from Verizon and U.S. Secret Service investigations into about 800 new data compromise incidents since last year’s report (the study also includes an appendix detailing 30 cybercrime cases investigated by the Dutch National High Tech Crime Unit).

Although the report examines the data from more breaches in a single year than ever before (the total Verizon/US Secret Service dataset from all previous years included just over 900 breaches), Verizon found that the total number of breached records fell from 361 million in 2008 to 144 million in 2009 to just 4 million last year.

A good portion of the report is dedicated to positing what might be responsible for this startling decline, but its authors seem unwilling to let the security industry take any credit for it.

“An optimist may interpret these results as a sign that the security industry is WINNING! Sorry, Charlie”, the report says. “While we’d really like that to be the case, one year just isn’t enough time for such a wholesale improvement in security practices necessary to cut data loss so drastically.”

The study suggests a number of possible explanations. For example:

-There were relatively few huge data heists. Those which had been responsible for the majority of the breached records in the past few years were breaches involving tens of millions of stolen credit and debit cards. Those high profile attacks may have achieved fame and fortune for the attackers, but they also attracted a lot of unwanted attention.  Many of the past megabreaches ended in the capture and arrest of those responsible, such the case of Albert Gonzales, the former Secret Service informant who was sentenced last year to 20 years in prison for his role in the theft of 130 million credit and debit card numbers from card processing giant Heartland Payment Systems. “Those that wish to stay out of jail may have changed their goals and tactics to stay  under the radar,” the report notes. “This could be one of the chief reasons behind the rash of ‘mini breaches’ involving smaller organizations.”

-Megabreaches of years past flooded criminal underground markets with so many stolen card numbers that their value plummeted. Criminals’ attention may have turned to stealing other lower profile data types, such as bank account credentials, personal information and intellectual property. In other words, criminals might opt to let the markets clear before stealing more huge quantities or selling what they already had purloined. “It’s worth noting that a lot of the cards that were stolen over the last few years in these megabreaches probably are going to start expiring soon,” said Bryan Sartin, director of investigative response at Verizon Business. “So we could be in a holding pattern right now.”

Continue reading →


28
Jul 10

Hacked Companies Hit by the Obvious in 2009

As a rule, I tend to avoid writing about reports and studies unless they offer truly valuable and actionable insights: Too often, reports have preconceived findings that merely serve to increase hype and drum up business for the companies that commission them. But I always make an exception for the annual data breach report issued by the Verizon Business RISK team, which is consistently so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about from its contents.

Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out of the way first:

-Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs.  285 million in 2008).

-85 percent of records last year were compromised by organized criminal groups (this is virtually unchanged from the previous report).

-94 percent of compromised records were the result of breaches at companies in the financial services industry.

-45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

Among the most counter-intuitive findings in the report?

There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch. In most cases, the breaches were caused by weaknesses that could be picked up by a free Web vulnerability scanner:

“Organizations exert a great deal of effort around the testing and deployment of patches — and well they should. Vulnerability management is a critical aspect of any security program. However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

Speaking of log files, one of the most interesting sections of the 66-page report comes in a sidebar titled “Of Needles and Haystacks,” which states that 86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual patterns in the log files created by their Web servers.

Continue reading →