Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)
My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.
I found a story today stating that the attackers who stole millions of credit cards from Target didn’t have to try very hard to hide. I wish I could say I was surprised.
My boss says it this way: Amateurs hit as hard as they can. Professionals hit as hard as they have to.
Why? Because if they only hit as hard as they have to, they can save the hard hit for another day. And it really boils down to simple economics. If I can buy off-the-shelf malware for $1,000 and use it to steal millions of dollars, then use the same malware again somewhere else and steal another few million, why not do that? The alternative is to buy a sophisticated attack that costs five or six figures. Then what happens? I use it, get my money, and then the victim can’t figure it out, so the victim calls in Mandiant. Mandiant discovers the zero-day attack, then tells the world about it. Mandiant looks good because they discovered something nobody else has ever seen before. The victim looks a lot better too, because they got mowed down by something that was unstoppable. But then the vendor moves heaven and earth to release an emergency out-of-band patch as quickly as possible, closing down a very brief window of opportunity to use it.
Cyber criminals may be crooked and unethical, but they aren’t stupid. And that’s why this is an uphill battle: A cheap attack can go up against defenses that cost an order of magnitude more, and still win. Read more
As you probably know, last year some still-unknown criminals stole a whole bunch of credit and debit card data from Target. And the story keeps changing. First there weren’t any PINs. Then they got the PINs, but no personally identifiable data. Well, the latest news indicates they got credit card numbers, names, addresses, phone numbers, e-mail addresses, and for a whole lot more people, and probably from a longer length of time than just late November to mid-December.
There are a few things you ought to do if you shop at Target, which many people do. Read more