By Joseph Menn
| April 14
April 14 When a cyber security breach hits the
news, those most closely involved often have incentive to play
up the sophistication of the attack.
If hackers are portrayed as well-funded geniuses, victims
look less vulnerable, security firms can flog their products and
services, and government officials can push for tougher
regulation or seek more money for cyber defenses.
But two deeply researched reports being released this week
underscore the less-heralded truth: the vast majority of hacking
attacks are successful because employees click on links in
tainted emails, companies fail to apply available patches to
known software flaws, or technicians do not configure systems
properly.
These conclusions will be in the minds of executives
attending the world's largest technology security conference
next week in San Francisco, a conference named after lead
sponsor RSA, the security division of EMC Corp.
In the best-known annual study of data breaches, a report
from Verizon Communications Inc to be released on
Wednesday found that more than two-thirds of the 290 electronic
espionage cases it learned about in 2014 involved phishing, the
security industry's term for trick emails.
Because so many people click on tainted links or
attachments, sending phishing emails to just 10 employees will
get hackers inside corporate gates 90 percent of the time,
Verizon found.
"There's an overarching pattern," said Verizon scientist Bob
Rudis. Attackers use phishing to install malware and steal
credentials from employees, then they use those credentials to
roam through networks and access programs and files, he said.
Verizon's report includes its own business investigations
and data from 70 other contributors, including law enforcement.
It found that while major new vulnerabilities such as Heartbleed
are being used by hackers within hours of their
announcement, more attacks last year exploited patchable
vulnerabilities dating from 2007, 2010, 2011, 2012 and 2013.
Another annual cyber report, to be released on Tuesday by
Symantec Corp, found that state-sponsored spies also
used phishing techniques because they work and because the
less-sophisticated approach drew less scrutiny from defenders.
Once inside a system, however, the spies turned fancy,
writing customized software to evade detection by whatever
security programs the target has installed, Symantec said.
"Once I'm in, I can do what I need to," said Robert Shaker,
an incident response manager at Symantec. The report drew on
data from 57 million sensors in 157 countries and territories.
Another troubling trend Symantec found involves the use of
"ransomware," in which hackers encrypt a computer's files and
promise to release them only if the user pays a ransom. (Some 80
percent of the time, they do not decrypt the files even then.)
The new twist comes from hackers who encrypt files,
including those inside critical infrastructure facilities, but
do not ask for anything. The mystery is why: Shaker said it is
not clear whether the attackers are securing the information for
resale to other spies or potential saboteurs, or whether they
plan on making their own demands in the future.
RSA CONFERENCE
At next week's RSA Conference, protecting critical
infrastructure systems under increasing attack will be a major
theme. Another theme will be the need for more
sharing of "intelligence" about emerging threats - between the
public and private sectors, within the security industry, and
within certain industries.
While many of the biggest breaches of the past two years
involved retailers, the healthcare industry has figured heavily
in recent months. Former FBI futurist Marc Goodman said that
both spies and organized criminals are likely at work, the
former seeking leverage to use in recruiting informants and the
latter looking to cash in on medical and insurance fraud.
Verizon's researchers said that to be most effective,
information-sharing would have to be essentially in real time,
from machine to machine, and cross multiple sectors, a daunting
proposition.
Another section of the Verizon report could help security
executives make the case for bigger budgets. The researchers
produced the first analysis of the actual costs of breaches
derived from insurance claims, instead of survey data.
Verizon said the best indicator of the cost of an incident
is the number of records compromised, and that the cost rises
logarithmically, flattening as the size of the breach rises.
According to the new Verizon model, the loss of 100,000
records should cost roughly $475,000 on average, while 100
million lost records should cost about $8.85 million.
Though the harder data will be welcome to number-crunchers,
spending more money cannot guarantee complete protection against
attacks.
The RSA Conference floor will feature vendors touting
next-generation security products and anomaly-spotting big-data
analytics. But few will actually promise that they can stop
someone from clicking on a tainted email and letting a hacker
in.
(Reporting by Joseph Menn in San Francisco; Editing by Tiffany
Wu)