SECURITY BREACHES: IS ANYONE SAFE?

2 SECURITY BREACHES – IS ANYONE SAFE?

INTRODUCTION In 2013, it is estimated that over 66% of all security breaches happened in the United States. The

average total organizational cost, according to one survey, was over $5.4 million.1 Clearly, security

breaches are a critical risk to many organizations that must be considered in their protection profiles.

The intent of this paper is to provide a perspective on the motivations, methods and impacts

associated with security breaches and the criminal activity of hackers, whose efforts are now

focused on hacking for gain and profit. It explores various historical aspects of how hacking has

changed over the years, takes a look at some specific security breaches and data losses resulting

from hacker attacks, and describes some critical aspects organizations need to consider to reduce

their exposure (and the potential impacts) their organization might suffer from a breach.

MOTIVATIONS HAVE EVOLVEDHistorically, hacking was the exclusive domain of an elite group of individuals with detailed

knowledge of technology; today just about anyone with malice and patience can learn to hack.

The abundance of readily accessible information on the web means almost any facet of the hacking

community and practices can be quickly obtained through simple Internet searches. An excerpt from

one search revealed “For less than $6, one can even purchase the ‘Hacker’s Penetration Manual.’”.1

Note that in most cases, a hacker isn’t going to pay, but rather will choose to download an illegal

copy of this book from a publicly-available file share, known as torrenting. Profit from hacking

comes in many forms. The current going rate per credit card on the black market is $35 - $45.2

The earlier forms of hacking, that mainly focused on social issues and pranks, have given way to a

predominance of hacking for profit, with this profit being made not only by stealing money, but also

from the discovery and sale of vulnerabilities, exploits, malware, and malware generation kits. As

they grow more bold and sophisticated in using malware for economic gain, hackers are now openly

selling “make your own” tool kits to assist in the creation of malicious code. For example, the Web

Attacker Toolkit, sold by a Russian web site, has been reported to sell for $15 - $300.3,4 This demand

has created a new form of marketplace, where an attacker, for as little as $15, can purchase a

malware application specifically designed to facilitate the compromise and retrieval of the personal

information of a company’s patrons. It has been hypothesized that purchased applications were

involved in a number of high profile breaches, including the recent Target Corporation breach.

Unfortunately, the attackers have been successful on far too many occasions, and their victims

have suffered substantial losses in compromised records, recovery costs and financial liabilities.

According to media coverage of a recent breach, Target originally estimated an initial 40 million credit

card accounts were compromised, but ultimately the company reported that personal information for

70 million customers was also compromised in the breach; leading to a possible impact in direct and

indirect costs to Target of over $1 billion dollars. In 2011, Zappos (an Amazon.com-owned company)

was successfully attacked and 24 million customers had their credit card information stolen. In other

examples, Sony had 77 million victims, and Citigroup had $2.7 million stolen from approximately

3

3,400 accounts in the same year.5 In February 2014, RiskBasedSecurity.com released a study

claiming that there were over 823 million records compromised in 2013.6 When paired with the

Ponemon Institute’s estimated average organizational cost of $194 per record for companies with

less than 100,000 records lost per breach,1 it can be extrapolated that the overall cost for data

breaches worldwide in 2013 could amount to nearly $160 billion in damages. What cannot be

accurately estimated is the total amount of money lost by corporations from events that were not

publicly reported. This “hidden event” situation can arise due to many causes, such as when a

company chooses the option to pay the ransom demand of an attacker to stay out of

the news, often out of fear of the company’s reputation being destroyed.

There is no doubt that money is currently the highest motivation for most hackers; however,

motivations also include hacktivism, recognition by other hackers, personal pride, and government

or military sponsored actions. Hacktivists attack for political or personal reasons, mostly to inform the

public of the behaviors of high level executives, companies, and governments. The hacktivist group

known as Anonymous has been credited with 17 major operations in 2013 alone. Anonymous’

attacks include operations against the nations of Israel, North Korea, Canada, India, and the United

States. In February of 2014, Russia invaded Crimea, Ukraine, which put Russian intelligence

$180

$160

$140

$120

$100

$80

$60

$40

$20

$0

Bill

ions

2009 2010 2011 2012 2013

ESTIMATED DATA BREACH COSTS

Cost based on the average number of records per breach by RiskBasedSecurity.com and average price per record by the Ponemon Institute.6, 1

SECURITY BREACHES – IS ANYONE SAFE? 4

capabilities in the spotlight. Reports of the sophistication level of the operations associated

with SORM, a system for operative investigative activities operated by the Federal Security

Service (formerly Russia’s KGB), indicate they have the ability to secretly capture all land-line

and mobile communications throughout the Ukraine without users being aware.7

NOTABLE BREACHES OVER THE YEARSSecurity breaches happen on such a regular basis that hacks, breaches and personal information

losses are becoming commonplace; but why does a security breach happen? Because someone

has enough patience, skill and time to search for an exploitable vulnerability in their target company

and then attack it by any means necessary until they achieve their goal. Furthermore, the amount of

risk to the attacker getting caught is very low. While there are significant penalties associated with a

conviction for the crimes being committed, catching and successfully prosecuting a criminal that

could potentially be on the other side of the world poses significant jurisdictional issues, is quite

costly and too often futile.

Information is Beautiful, an internet based research company, keeps records on the biggest data

breaches since 2004. According to the database at InformationIsBeautiful.com, there are over 150

incidents of data breaches since 2004 that have at least 30,000 records stolen. The infograph

below shows the most significant data breaches between Q1 of 2011 and February 2014.

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

WORLD’S BIGGEST DATA BREACHES/HACKS

5

Not all cybercrimes are technical in nature. Social engineering can, at times, prove an effective

means to achieving the same goal. In the first week of March 2014, a Vietnamese national, Hieu

Minh Ngo, pled guilty to tricking an Experian subsidiary, US Info Search, into gaining access to

over 200 million Americans’ private data including all credit history, credit scores, date of birth,

and social security numbers. The hack was not directly aimed at Experian or US Info Search,

but a contracted company called Court Ventures, who had the ability to search through Experian

databases. Ngo established a private company and contracted with Court Ventures. Ngo then set

up an underground market to give his own customers direct access to Experian queries against

US citizens.8

AN OVERVIEW OF THE ATTACK ON TARGET CORPORATIONAccording to reporter and security journalist, Brian Krebs (krebsonsecurity.com), attackers gained

entrance into Target Corporation’s network with stolen credentials from Fazio Mechanical Services, a

contracted company that worked on the HVAC systems. It is not known how long the attackers had

access to the computer systems; however, it was long enough to allegedly capture credentials that

would eventually lead into Target’s external procurement system, and then into the sensitive inner

networks, past multiple layers of security. With a username and password in hand, attackers not

only uploaded a modified copy of BlackPOS; malware specifically designed to exploit point-of-sale

(POS) systems, but also purportedly launched at least two successful upgrades in preparation for

the Black Friday holiday, when their deployed software was set to attack Target’s network of point of

sale (POS) computer systems.

The recently-published “Kill Chain Analysis,” from the U.S. Senate9 concluded that Target’s

processing and handling of sensitive credit card information had at least one inherent weakness

that was exploitable and purportedly correctable. This was pointed out by multiple sources since

2007, including two security bulletins issued in April and August of 2013 by VISA that included

recommended actions to reduce the risks. During initial processing of a credit or debit transaction,

sensitive credit card information was stored temporarily in random access memory (RAM) for further

processing in the transaction phase of a sale. Each instance that the patron swiped their credit or

debit card, the malware sprang into action, and parsed the memory of the system to obtain the card

information; a process known as RAM scraping. The stolen information was stored on a file share

inside of the Target Corporate network. To exfiltrate the information, hackers used a clear text, file

transfer protocol (FTP) service to push the information from Target’s internal network to a remote

server and then finally download the stolen data.10,11

IMPACT OF A SECURITY BREACHOrganizations that are victims of security breaches, such as the incident at Target Corporation,

do not suffer only from the impact of the stolen data. Bloomberg reported at the end of February

2014 that the breach cost Target Corporation an estimated $61 million in initial damages.12

CNBC reported that the Target Corporation could be possibly sued by banks like

SECURITY BREACHES – IS ANYONE SAFE? 6

Chase and Citibank for the amount of money lost per credit card.13 This could lead to Target

Corporation being held liable for over $1 billion in financial losses due to this one security breach.

In 2013, during an independent study by EMC, 3,200 interviews were conducted of organizations

that experienced a breach.14 The diagram above represents the number of companies that

experienced other internal losses beyond the costs directly attributable to a security breach.

Another collateral impact is the loss of investor confidence; the graph on page 7 shows the

impact on stock shares for Target Corporation immediately following the recent security breach.

The Wall Street Journal’s Market Watch reported that Target Corporation’s stock prices dropped

11% over the course of two months before finally seeing any type of rebound.12 Target also

reported a 46% drop in earnings for the 4th quarter of 2013.15 Identity Theft 911 Chairman and

Founder, Adam Levin, supports the idea that because Target Corporation responded quickly,

sympathetically, and with actions that were acceptable to its patrons, Target Corporation minimized

the potential loss of customers. Target Corporation had the resources to respond to patrons

quickly; however, what if a small or medium sized company did not have the ability to respond

in the same way as Target?

In a private study, conducted by Scott & Scott, LLP, of more than 700 businesses that experienced

security breaches, 74% of mid-to-large sized businesses experienced a loss of customers, 59%

faced potential litigation, 33% faced industry fines, and 32% experienced a decline in their share

values.16 No matter the size of the breach, history has shown that every company that has a

publicized breach will suffer some degree of damage to both its reputation and bottom line.

Source: http://www.emc.com/collateral/other/emc-trust-curve-es.pdf 14

Loss of employee productivity

Loss of revenue

Loss of customer confidence/loyalty

Loss of an incremental business opportunity

Loss of business to a competitor

Delay in product/service development

Loss of a new business opportunity

Loss of customer

Damage to company brand and reputation

Loss of repeat business

Delay in getting products/services to market

Damage to company stock price

39%

32%

27%

27%

26%

26%

26%

23%

20%

16%

10%

45%

10 20 30 40 50

CONSEQUENCES OF DATA BREACHES

7

WHAT IT ALL MEANSIt is clear that the primary motivations, size, frequency and success rate of security breaches

have changed significantly in the past decade, most often to the detriment of many of the most-

recognized brands in the world. Likewise, it seems clear that the defensive measures adopted

by many of the institutions attacked, whether to meet Payment Card Industry (PCI) Data Security

Standard (DSS) or other information security and data protection regulations, have failed to

provide adequate protection, perhaps because of inconsistent deployment, inadequate controls

management, failures in monitoring processes or a combination of these factors. What is equally

clear is that complete disclosure of the facts associated with the attacks rarely occurs for the vast

majority of companies that are successfully breached. Overcoming this lack of transparency is

often cited as a way to ostensibly prevent hackers from utilizing the attack on other potential

victims, and also enable others to eliminate the vulnerabilities and weaknesses in protective

measures that might prevent a broader group of attacks in the future.

Based on our analysis of the published information and our knowledge of preventive and

detective controls, Experis believes there are some lessons that can be learned from the recent

Target breach and other historical breaches. Even after accepting the potential for some of the

attacks to be based on newly-discovered vulnerabilities (“zero-day attacks”), it is clear that a

significant number of breaches are using well-known attack methods that could have been partially

or wholly mitigated by preventive controls. Chief among these controls are proper network and

system segmentation to limit direct access to critical business systems and network devices.

Use of multi-level access controls to initiate changes to critical systems is another control that

would have diminished the ability for some of the attacks to successfully compromise production

systems used to process customer data. Additionally, periodic vulnerability testing, more robust

monitoring capabilities and more effective escalation and response to alerts would reduce the

LOSS OF INVESTOR CONFIDENCE FOLLOWING A SECURITY BREACH

Source: Google.com/finance

SECURITY BREACHES – IS ANYONE SAFE? 8

window of opportunity and the accompanying impact level for many of the published attacks.

And lastly, greater formality, consistency and rigor in the management and oversight of third party

vendors would significantly reduce the vulnerabilities introduced by these service providers and the

associated network connections.

These controls are not new – they have been described as primary controls in information security

standards for decades. So why does it appear they have not been deployed more universally? Our

experience indicates the answer is most often difficulty in measuring the potential impact of an event

that has not yet occurred within an organization, but could, and translating the strategic value of

implementing and maintaining security controls to upper management. Unlike the insurance field,

most information security organizations lack the equivalent of detailed actuarial tables and robust

predictive mortality analysis techniques that other fields can use to justify the risk and impact of their

decisions. When combined with the lack of transparency in reported breaches, this leaves many

security organizations, and the organizational executive decision makers they support, with too little

verifiable information to help them determine when and how to reallocate their resources to deal with

possible, but often rare, attack patterns.

Experis believes there are some actions organizations can take to significantly reduce their exposure

and risk profile. We have seen that organizations that have robust security strategies and roadmaps

that are visibly linked to corporate strategies and business initiatives are better prepared to meet

the challenges brought on by data breaches and the evolving hacker environment. In addition,

organizations that have formal security control definitions and an accompanying exception tracking

and approval process that involves IT, Security and business executives tend to have fewer

instances where generally-accepted controls are either not properly deployed on all critical systems,

or are removed from service once deployed, often to reduce the cost of security. And, organizations

that take a more formal approach to vendor risk management have a much lower incidence of

vulnerabilities or breaches involving vendors and vendor staff. These programs are characterized by

less reliance on self-assessment, and more reliance on rigorous, formal processes that periodically

inspect the full spectrum of people, process and technology controls.

Lastly, organizations that utilize different internal groups and third parties to periodically test all critical

applications, systems and networks, routinely identify and eliminate latent risks more quickly, and

therefore suffer fewer attacks and data breaches than organizations that fail to effectively use these

protective measures.

HOW EXPERIS CAN HELPExperis is a global leader in professional resourcing and project-based workforce solutions.

We accelerate organizations’ growth by intensely attracting, assessing and placing specialized

expertise in IT, Finance and Engineering to precisely deliver in-demand talent for mission-critical

positions, enhancing the competitiveness of the organizations and people we serve.

9

Experis maintains a dedicated Information Security Center of Expertise that employs seasoned

security practitioners that collectively have experience across a broad range of security topics,

client environments and industry-specific requirements. The Experis Information Security Center of

Expertise helps organizations meet the security challenges posed by continuously changing and

expanding operational environments. This ongoing evolution challenges organizations to protect

their information assets while trying to meet an increasingly complex set of industry and regulatory

requirements. Experis has assisted a broad range of clients across all industries with practical

information security solutions that help them effectively and securely conduct business while

controlling costs. Our specialized group of individuals delivers security-related services ranging from

information security program strategy development, risk analysis and control determination, to PCI

assessments, penetration testing, and ASV scanning. Brief descriptions of some of our services

that are particularly relevant to this area include:

• Security Strategy and Roadmap Development – Experis assists clients by reviewing their existing

security programs to identify strengths and weaknesses in how information security is practiced,

and opportunities for improvement. During a typical program review, we assess the organization’s

current people, process and technology capabilities, and then define a strategic roadmap to

evolve the organization to a rational future state.

• Vulnerability Assessments and Penetration Tests – Experis maintains an “in-house” capability

that performs vulnerability assessments and penetration tests for external and internal networks,

wireless, and applications. Our experienced team works with clients from all industries to

provide an exercise that fits their specialized needs. Our reports provide detailed analyses of

the identified areas of weakness and implementable recommendations. We maintain a Virtual

Security Test Center that contains publicly available and commercially licensed tools that are

re-evaluated annually.

• Vendor Risk Management (VRM) – Experis supports client vendor risk management needs

by providing staff that are skilled in the review and re-engineering of existing VRM programs

to make them more effective and efficient. We also are adept at creating entirely new VRM

programs that are tailored to meet the specific needs of the client vendor environment, with

associated assessments, metrics and reports that ensure appropriate oversight.

• Technology Specifications – Experis supports our clients with the development and deployment

of technology and information profiles, which are recognized as a fundamental requirement for a

well-designed and well-managed security infrastructure. We are adept at determining appropriate

identification, classification and labeling of assets, and specifying controls for information handling,

storage, processing and transmission.

• Policies and Procedures – Experis regularly reviews clients’ security policies, procedures and

guidelines to determine their adequacy in reducing risks within each client’s environment.

We utilize industry standards and applicable legal, regulatory and contractual requirements to

determine the specific constraints the security organization must respond to in establishing

and maintaining their company’s information security controls.

SECURITY BREACHES – IS ANYONE SAFE? 10

• Security Integration – Experis assists our clients in the identification and mitigation of specific

business risks associated with their technology infrastructure, and we also help ensure they

understand the costs and potential impacts to daily operations and personnel. We also provide

assistance with the evaluation and design of technology migration strategies, remote access

solutions, access controls and various networking security monitoring solutions.

The Experis Information Security Center of Expertise can rapidly deploy security professionals

and services to meet any demand. Experis’ security professionals hold advanced degrees and

industry leading certifications such as CISSP, CISM, C|EH, QSA, ASV, PCIP, CISA, and CISM.

Many participate in, or hold leadership positions across industry recognized associates and

present at conferences, colleges, and government functions. For all our services, Experis brings

a combination of proven and practical methodologies, customized for the client with innovative

enhancements that offer a unique perspective. By using industry-accepted security frameworks,

Experis develops a baseline for increasing functional accountability for each client’s business

environment. Whether providing security resources or full services, we produce results that fit

our client’s business and security objectives now and into the future.

11

References

[1] https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-

2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf

[2] http://www.nytimes.com/2010/02/02/business/global/02hacker.html?pagewanted=all&_r=2&

[3] http://www.npr.org/blogs/money/2011/06/20/137227559/how-to-buy-a-stolen-credit-card

[4] http://www.esecurityplanet.com/prevention/article.php/3638886/Hacking-for-Profit.htm

[5] http://money.cnn.com/2012/01/16/technology/zappos_hack/index.htm

[6] https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf

[7] https://www.recordedfuture.com/russia-ukraine-cyber-front/

[8] http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access-200-

million-consumer-records/

[9] http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-

a3a67f183883

[10] http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_

basic_network_segmentation_error

[11] http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

[12] http://www.bloomberg.com/video/how-much-did-target-s-data-breach-finally-cost-

D6UeXVh1QZOjCwXMhh58BQ.html

[13] http://www.cnbc.com/id/101293579

[14] http://www.emc.com/collateral/other/emc-trust-curve-es.pdf

[15] http://blogs.marketwatch.com/behindthestorefront/2014/02/26/two-months-after-damaging-

data-breach-target-stock-has-its-best-day-in-5-years/

[16] http://www.bloomberg.com/video/how-much-did-target-s-data-breach-finally-cost-

D6UeXVh1QZOjCwXMhh58BQ.html

EXPERIS • 100 MANPOWER PLACE • MILWAUKEE, WI 53212 • USA

WWW.EXPERIS.COM

© 2014 MANPOWERGROUP. ALL RIGHTS RESERVED.