http://www.darkreading.com/application-security/database-security/lessons-learned-from-4-major-data-breaches-in-2013/d/d-id/1140962?
Breach stats are declining, but data is still at risk from poorly protected databases, applications, and endpoints
In many respects the breach trends of 2013 have borne out some good news for the security industry. Unlike the past four to five years, this one has not been awash with mega database breaches of tens of millions of records containing personally identifiable information (PII). And according to statistics compiled by the Privacy Rights Clearinghouse, both the number of breaches publicly reported and the volume of records breached have declined. Last year at this time, the running count already totaled approximately 27.8 million records compromised and 637 breaches reported. This year, that tally so far equals about 10.6 million records compromised and 483 breaches reported. It's a testament to the progress the industry has made in the fundamentals of compliance and security best practices. But this year's record is clearly far from perfect.
When comparing year-to-date numbers, the volume of records breached went down a drastic 61.7 percent, while the number of reported breaches was only reduced by about 24.2 percent. This shows that breaches are still occurring at a fast clip -- it's just now the distribution of theft and compromise has spread out. Breaches are smaller, and according to security insiders, they're far more targeted. And frequently the theft is of IP or other digital property that could be even more damaging than customer records when stolen, but which are more difficult to quantify and don't make the statistical headlines.
Delving deeper into the specifics of breaches occurring this year, it is evident there's still work to do. As evidenced by the 2013 track record, valuable databases are still left unprotected and unencrypted, applications are still riddled with vulnerabilities, and users are still allowed to download huge quantities of information from sensitive databases and store them on poorly protected endpoints. To plead our case, Dark Reading has cherry-picked a few helpful examples and offered up some valuable lessons the industry can learn from these incidents.
Company Compromised: CorporateCarOnline.com
Breach Stats: 850,000 records stolen
The Details: Personal details, credit card numbers, and other PII from some of the biggest American names in professional sports, entertainment, Fortune 500 business, and politics were all stolen in this juicy heist of a plain text archive held by this company that develops a SaaS database solution for limo services across the country. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump.
Lessons Learned: A key lesson is how the ingenuity of attackers knows no bounds when the most valuable financial and social-engineering-fueling information is at stake. According to
KrebsOnSecurity.com, a quarter of the compromised card numbers were high- or no-limit American Express cards, and other information would prove a treasure trove for corporate spies or tabloid media players. Meanwhile, the company at hand paid absolutely no regard to the security of the information, without even trying to take the most basic of cryptographic measures to protect it.
Company Compromised: Adobe
Breach Stats: Nearly 3 million PII records, more than 150 million username/password combos, and source code from Adobe Acrobat, ColdFusion, ColdFusion Builder and other unspecified products were stolen.
The Details: This is the breach that just keeps unraveling as the hits keep coming more than a month after the compromise was first disclosed. Originally just though a compromise of 3 million PII records, it's now clear that Adobe is contending with the loss of a vast trove of login credentials, and, more startlingly, its source code.
Lessons Learned: Not only is the still-unfolding Adobe story a good teaching moment for how thoroughly a company can be owned by attackers once they've established a foothold in a corporate network, it's also a lesson on how dependent the entire enterprise ecosystem is on the security of its software supply chain. The potential ramifications could ripple out for a long while yet as a result of this breach.
Company Compromised: U.S. Department Of Energy
Breach Stats: PII stolen for 53,000 former and current DOE employees
The Details: Attackers targeted DOEInfo, the agency's outdated, publicly accessible system built on ColdFusion for the office of its CFO. DOE officials say the breach was limited to PII about employees.
Lessons Learned: There were two big lessons here. First, patching always has been and always will be paramount. Second, organizations must think about reducing their attack surfaces by reconsidering which systems connected to sensitive databases should be left open on publicly facing websites.
Company Compromised: Advocate Medical Group
Breach Stats: 4 million patient records stolen
The Details: The theft of four computers from offices owned by this medical company exposed more than 4 million patient records in what officials are calling the second-largest loss of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009.
Lessons Learned: Health-care breaches are dominating the 2013 breach disclosure list thus far, but this one in particular is the most egregious. With patient records dating back to the 1990s compromised from a physical computer theft, it is clear that the basics in physical security, endpoint security, encryption, and data protection were all deficient. In particular, endpoint theft and loss in health-care issues seems to come up time and time again. It may be time for these organizations to reconsider how much data an endpoint is allowed to download and store from centralized databases.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's
editors directly, send us a message.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
泄露事故统计数字正在逐步下降,但数据仍然面临着由数据库、应用以及终端保护不当所引发的严重风险。
从多个角度来看,2013年的数据泄露趋势已经得到有效扼制,这对于安全行业来说当然是个好消息。不同于过去四到五年,今年的记录当中不再充斥着大型数据库泄露所导致的数以千万计个人身份信息的外流。根据隐私权信息交流中心的调查,本年度公开报道的泄露事故数量及记录在案的泄露事故数量双双呈下降趋势。去年同期,得到确切统计的记录泄露数量已经达到约278万条,漏洞报告则为637份。而在今年,目前为止记录在案的泄露事故约为107万条,漏洞报告则为483份。这充分证明整个安全行业在合规性与安全最佳实践方面所迎来的进步——然而这样的战绩与理想目标相比仍然相去甚远。
在对年初至今的数字进行比较时,我们发现记录在案的泄露事故数量大幅降低了61.7%,然而报告提及的泄露事故数量则仅降低了24.2%。这表明泄露事故仍然快速发生——只不过如今的犯罪活动及违规事件开始逐步扩散而非集中于一点。泄露事件影响范围更小,而且根据安全业内人士的说法,此类恶意活动的目标也更为广泛。现在犯罪分子开始更多地窃取IP或者其它数字资产,由此引发的损失可能比客户记录本身更为严重——同时这也更加难以量化,无法提供头条新闻所必需的统计结果。
通过对今年发生的泄露事故的深入钻研,我们发现安全行业明显仍有大量工作要做。2013年的追踪记录证明,有价值数据库仍然没有受到严格保护与加密、应用程序仍然存在大量安全漏洞、用户们则仍然能够从敏感数据库中下载大量信息并将其保存在缺乏保护的终端当中。为了帮助大家更好地理解当前安全形势,我们选取了几项最具代表意义的实例,希望各位能够从中吸取可资借鉴的教训。
当事企业: CorporateCarOnline.com
泄露统计: 850,000份记录被盗
事故细节:作为全美最具知名度的专业体育、娱乐外加五百强企业,CorporateCarOnline.com拥有大量用户个人资料、信用卡号码以及其它个人身份信息,然而由于其开发出的全球豪车租赁SaaS数据库解决方案将全部信息以纯文本形式储存,最终导致这一切成为犯罪分子的囊中之物。名单中涉及不少大牌,包括汤姆·汉克斯、汤姆·达施勒以及唐纳德·特朗普等。
经验教训:最重要的教训在于认清这样一个现实:面对极具价值的财务与社会工程信息,攻击者们会爆发出极为可怕的技术能量。根据KrebsOnSecurity.com网站的调查,目前遭遇过违规活动的美国运通卡当中有四分之一为高额度甚至无限额度卡片,而且企业间谍分子或者娱乐小报记者也希望通过这类个人信息挖掘到有价值结论。与此同时,该公司在管理收支账目时完全没有考虑过信息安全性,甚至从未尝试采取任何最基本的加密措施。
当事企业: Adobe
泄露统计: 约三百万个人身份信息、超过1.5亿用户名/密码组合以及来自Adobe Acrobat、ColdFusion、ColdFusion Builder外加其它未说明产品的源代码惨遭窃取。
事故细节: 自最初的违规事件发生之后,接踵而来的更多攻击活动持续了一个多月之久,并最终导致了此次重大事故的发生。目前情况已经明确,Adobe正在努力恢复其失窃的大量登录凭证信息——更令人惊讶的是,连其产品源代码也一并泄露。
经验教训: 通过Adobe遭遇的这一轮震惊世界的攻击活动,我们不仅切身感受到攻击者在企业网络中建立根据地并夺取了整套业务储备控制权后所能带来的损害,同时也应学会在考虑将供应商引入软件供应链之前、考察对方在安全领域营造出了怎样的企业生态。作为此次泄露事故的后续影响,其潜在后果恐怕在很长一段时间内都无法彻底消除。
当事企业: 美国能源部
泄露统计: 53000位前任及现任能源部员工的个人身份信息遭到窃取
事故细节: 攻击者将矛头指向了DOEInfo——该机构利用ColdFusion所打造的、已经弃之不用的CFO办公室公开访问系统。能源部官员表示,此次泄露事故只限于内部员工的个人身份信息。
经验教训: 我们从中应该吸取两大教训。首先,安装补丁过去是、现在是、未来也将一直是最为重要的安全任务。其次,各机构必须通过重新审视与敏感数据库相对接的系统最大程度减少攻击面,保证只向公众开放必要的网站。
当事企业: Advocate Medical Group
泄露统计: 四百万病人记录遭到窃取
事故细节: 仅仅由于犯罪分子从办公室里偷走了四台由该公司拥有的计算机,最终导致了这起四百万病人记录丢失的事故——公司官方将此称为自2009年卫生部强制要求通告安全事故以来、美国发生过的第二大医疗信息泄露案件。
经验教训: 医疗行业的数据泄露事故在2013年的违规披露名单当中一直占据主导,但这一次的案件造成的影响显然特别恶劣。仅仅由于一台物理计算设备失窃就最终导致从上世纪九十年代至今的病人记录泄露,这充分暴露了该公司在物理安全、终端安全、加密以及数据保护等各个方面的全线失误。需要强调的是,终端设备被盗与丢失在医疗行业中已经屡见不鲜。现在这些机构可能需要尽快思考终端设备到底能够下载并保存多少来自中央数据库的信息。