SECURITY BREACHES: IS ANYONE SAFE?
2 SECURITY BREACHES – IS ANYONE SAFE?
INTRODUCTION In 2013, it is estimated that over 66% of all security breaches happened in the United States. The
average total organizational cost, according to one survey, was over $5.4 million.1 Clearly, security
breaches are a critical risk to many organizations that must be considered in their protection profiles.
The intent of this paper is to provide a perspective on the motivations, methods and impacts
associated with security breaches and the criminal activity of hackers, whose efforts are now
focused on hacking for gain and profit. It explores various historical aspects of how hacking has
changed over the years, takes a look at some specific security breaches and data losses resulting
from hacker attacks, and describes some critical aspects organizations need to consider to reduce
their exposure (and the potential impacts) their organization might suffer from a breach.
MOTIVATIONS HAVE EVOLVEDHistorically, hacking was the exclusive domain of an elite group of individuals with detailed
knowledge of technology; today just about anyone with malice and patience can learn to hack.
The abundance of readily accessible information on the web means almost any facet of the hacking
community and practices can be quickly obtained through simple Internet searches. An excerpt from
one search revealed “For less than $6, one can even purchase the ‘Hacker’s Penetration Manual.’”.1
Note that in most cases, a hacker isn’t going to pay, but rather will choose to download an illegal
copy of this book from a publicly-available file share, known as torrenting. Profit from hacking
comes in many forms. The current going rate per credit card on the black market is $35 - $45.2
The earlier forms of hacking, that mainly focused on social issues and pranks, have given way to a
predominance of hacking for profit, with this profit being made not only by stealing money, but also
from the discovery and sale of vulnerabilities, exploits, malware, and malware generation kits. As
they grow more bold and sophisticated in using malware for economic gain, hackers are now openly
selling “make your own” tool kits to assist in the creation of malicious code. For example, the Web
Attacker Toolkit, sold by a Russian web site, has been reported to sell for $15 - $300.3,4 This demand
has created a new form of marketplace, where an attacker, for as little as $15, can purchase a
malware application specifically designed to facilitate the compromise and retrieval of the personal
information of a company’s patrons. It has been hypothesized that purchased applications were
involved in a number of high profile breaches, including the recent Target Corporation breach.
Unfortunately, the attackers have been successful on far too many occasions, and their victims
have suffered substantial losses in compromised records, recovery costs and financial liabilities.
According to media coverage of a recent breach, Target originally estimated an initial 40 million credit
card accounts were compromised, but ultimately the company reported that personal information for
70 million customers was also compromised in the breach; leading to a possible impact in direct and
indirect costs to Target of over $1 billion dollars. In 2011, Zappos (an Amazon.com-owned company)
was successfully attacked and 24 million customers had their credit card information stolen. In other
examples, Sony had 77 million victims, and Citigroup had $2.7 million stolen from approximately
3
3,400 accounts in the same year.5 In February 2014, RiskBasedSecurity.com released a study
claiming that there were over 823 million records compromised in 2013.6 When paired with the
Ponemon Institute’s estimated average organizational cost of $194 per record for companies with
less than 100,000 records lost per breach,1 it can be extrapolated that the overall cost for data
breaches worldwide in 2013 could amount to nearly $160 billion in damages. What cannot be
accurately estimated is the total amount of money lost by corporations from events that were not
publicly reported. This “hidden event” situation can arise due to many causes, such as when a
company chooses the option to pay the ransom demand of an attacker to stay out of
the news, often out of fear of the company’s reputation being destroyed.
There is no doubt that money is currently the highest motivation for most hackers; however,
motivations also include hacktivism, recognition by other hackers, personal pride, and government
or military sponsored actions. Hacktivists attack for political or personal reasons, mostly to inform the
public of the behaviors of high level executives, companies, and governments. The hacktivist group
known as Anonymous has been credited with 17 major operations in 2013 alone. Anonymous’
attacks include operations against the nations of Israel, North Korea, Canada, India, and the United
States. In February of 2014, Russia invaded Crimea, Ukraine, which put Russian intelligence
$180
$160
$140
$120
$100
$80
$60
$40
$20
$0
Bill
ions
2009 2010 2011 2012 2013
ESTIMATED DATA BREACH COSTS
Cost based on the average number of records per breach by RiskBasedSecurity.com and average price per record by the Ponemon Institute.6, 1
SECURITY BREACHES – IS ANYONE SAFE? 4
capabilities in the spotlight. Reports of the sophistication level of the operations associated
with SORM, a system for operative investigative activities operated by the Federal Security
Service (formerly Russia’s KGB), indicate they have the ability to secretly capture all land-line
and mobile communications throughout the Ukraine without users being aware.7
NOTABLE BREACHES OVER THE YEARSSecurity breaches happen on such a regular basis that hacks, breaches and personal information
losses are becoming commonplace; but why does a security breach happen? Because someone
has enough patience, skill and time to search for an exploitable vulnerability in their target company
and then attack it by any means necessary until they achieve their goal. Furthermore, the amount of
risk to the attacker getting caught is very low. While there are significant penalties associated with a
conviction for the crimes being committed, catching and successfully prosecuting a criminal that
could potentially be on the other side of the world poses significant jurisdictional issues, is quite
costly and too often futile.
Information is Beautiful, an internet based research company, keeps records on the biggest data
breaches since 2004. According to the database at InformationIsBeautiful.com, there are over 150
incidents of data breaches since 2004 that have at least 30,000 records stolen. The infograph
below shows the most significant data breaches between Q1 of 2011 and February 2014.
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
WORLD’S BIGGEST DATA BREACHES/HACKS
5
Not all cybercrimes are technical in nature. Social engineering can, at times, prove an effective
means to achieving the same goal. In the first week of March 2014, a Vietnamese national, Hieu
Minh Ngo, pled guilty to tricking an Experian subsidiary, US Info Search, into gaining access to
over 200 million Americans’ private data including all credit history, credit scores, date of birth,
and social security numbers. The hack was not directly aimed at Experian or US Info Search,
but a contracted company called Court Ventures, who had the ability to search through Experian
databases. Ngo established a private company and contracted with Court Ventures. Ngo then set
up an underground market to give his own customers direct access to Experian queries against
US citizens.8
AN OVERVIEW OF THE ATTACK ON TARGET CORPORATIONAccording to reporter and security journalist, Brian Krebs (krebsonsecurity.com), attackers gained
entrance into Target Corporation’s network with stolen credentials from Fazio Mechanical Services, a
contracted company that worked on the HVAC systems. It is not known how long the attackers had
access to the computer systems; however, it was long enough to allegedly capture credentials that
would eventually lead into Target’s external procurement system, and then into the sensitive inner
networks, past multiple layers of security. With a username and password in hand, attackers not
only uploaded a modified copy of BlackPOS; malware specifically designed to exploit point-of-sale
(POS) systems, but also purportedly launched at least two successful upgrades in preparation for
the Black Friday holiday, when their deployed software was set to attack Target’s network of point of
sale (POS) computer systems.
The recently-published “Kill Chain Analysis,” from the U.S. Senate9 concluded that Target’s
processing and handling of sensitive credit card information had at least one inherent weakness
that was exploitable and purportedly correctable. This was pointed out by multiple sources since
2007, including two security bulletins issued in April and August of 2013 by VISA that included
recommended actions to reduce the risks. During initial processing of a credit or debit transaction,
sensitive credit card information was stored temporarily in random access memory (RAM) for further
processing in the transaction phase of a sale. Each instance that the patron swiped their credit or
debit card, the malware sprang into action, and parsed the memory of the system to obtain the card
information; a process known as RAM scraping. The stolen information was stored on a file share
inside of the Target Corporate network. To exfiltrate the information, hackers used a clear text, file
transfer protocol (FTP) service to push the information from Target’s internal network to a remote
server and then finally download the stolen data.10,11
IMPACT OF A SECURITY BREACHOrganizations that are victims of security breaches, such as the incident at Target Corporation,
do not suffer only from the impact of the stolen data. Bloomberg reported at the end of February
2014 that the breach cost Target Corporation an estimated $61 million in initial damages.12
CNBC reported that the Target Corporation could be possibly sued by banks like
SECURITY BREACHES – IS ANYONE SAFE? 6
Chase and Citibank for the amount of money lost per credit card.13 This could lead to Target
Corporation being held liable for over $1 billion in financial losses due to this one security breach.
In 2013, during an independent study by EMC, 3,200 interviews were conducted of organizations
that experienced a breach.14 The diagram above represents the number of companies that
experienced other internal losses beyond the costs directly attributable to a security breach.
Another collateral impact is the loss of investor confidence; the graph on page 7 shows the
impact on stock shares for Target Corporation immediately following the recent security breach.
The Wall Street Journal’s Market Watch reported that Target Corporation’s stock prices dropped
11% over the course of two months before finally seeing any type of rebound.12 Target also
reported a 46% drop in earnings for the 4th quarter of 2013.15 Identity Theft 911 Chairman and
Founder, Adam Levin, supports the idea that because Target Corporation responded quickly,
sympathetically, and with actions that were acceptable to its patrons, Target Corporation minimized
the potential loss of customers. Target Corporation had the resources to respond to patrons
quickly; however, what if a small or medium sized company did not have the ability to respond
in the same way as Target?
In a private study, conducted by Scott & Scott, LLP, of more than 700 businesses that experienced
security breaches, 74% of mid-to-large sized businesses experienced a loss of customers, 59%
faced potential litigation, 33% faced industry fines, and 32% experienced a decline in their share
values.16 No matter the size of the breach, history has shown that every company that has a
publicized breach will suffer some degree of damage to both its reputation and bottom line.
Source: http://www.emc.com/collateral/other/emc-trust-curve-es.pdf 14
Loss of employee productivity
Loss of revenue
Loss of customer confidence/loyalty
Loss of an incremental business opportunity
Loss of business to a competitor
Delay in product/service development
Loss of a new business opportunity
Loss of customer
Damage to company brand and reputation
Loss of repeat business
Delay in getting products/services to market
Damage to company stock price
39%
32%
27%
27%
26%
26%
26%
23%
20%
16%
10%
45%
10 20 30 40 50
CONSEQUENCES OF DATA BREACHES
7
WHAT IT ALL MEANSIt is clear that the primary motivations, size, frequency and success rate of security breaches
have changed significantly in the past decade, most often to the detriment of many of the most-
recognized brands in the world. Likewise, it seems clear that the defensive measures adopted
by many of the institutions attacked, whether to meet Payment Card Industry (PCI) Data Security
Standard (DSS) or other information security and data protection regulations, have failed to
provide adequate protection, perhaps because of inconsistent deployment, inadequate controls
management, failures in monitoring processes or a combination of these factors. What is equally
clear is that complete disclosure of the facts associated with the attacks rarely occurs for the vast
majority of companies that are successfully breached. Overcoming this lack of transparency is
often cited as a way to ostensibly prevent hackers from utilizing the attack on other potential
victims, and also enable others to eliminate the vulnerabilities and weaknesses in protective
measures that might prevent a broader group of attacks in the future.
Based on our analysis of the published information and our knowledge of preventive and
detective controls, Experis believes there are some lessons that can be learned from the recent
Target breach and other historical breaches. Even after accepting the potential for some of the
attacks to be based on newly-discovered vulnerabilities (“zero-day attacks”), it is clear that a
significant number of breaches are using well-known attack methods that could have been partially
or wholly mitigated by preventive controls. Chief among these controls are proper network and
system segmentation to limit direct access to critical business systems and network devices.
Use of multi-level access controls to initiate changes to critical systems is another control that
would have diminished the ability for some of the attacks to successfully compromise production
systems used to process customer data. Additionally, periodic vulnerability testing, more robust
monitoring capabilities and more effective escalation and response to alerts would reduce the
LOSS OF INVESTOR CONFIDENCE FOLLOWING A SECURITY BREACH
Source: Google.com/finance
SECURITY BREACHES – IS ANYONE SAFE? 8
window of opportunity and the accompanying impact level for many of the published attacks.
And lastly, greater formality, consistency and rigor in the management and oversight of third party
vendors would significantly reduce the vulnerabilities introduced by these service providers and the
associated network connections.
These controls are not new – they have been described as primary controls in information security
standards for decades. So why does it appear they have not been deployed more universally? Our
experience indicates the answer is most often difficulty in measuring the potential impact of an event
that has not yet occurred within an organization, but could, and translating the strategic value of
implementing and maintaining security controls to upper management. Unlike the insurance field,
most information security organizations lack the equivalent of detailed actuarial tables and robust
predictive mortality analysis techniques that other fields can use to justify the risk and impact of their
decisions. When combined with the lack of transparency in reported breaches, this leaves many
security organizations, and the organizational executive decision makers they support, with too little
verifiable information to help them determine when and how to reallocate their resources to deal with
possible, but often rare, attack patterns.
Experis believes there are some actions organizations can take to significantly reduce their exposure
and risk profile. We have seen that organizations that have robust security strategies and roadmaps
that are visibly linked to corporate strategies and business initiatives are better prepared to meet
the challenges brought on by data breaches and the evolving hacker environment. In addition,
organizations that have formal security control definitions and an accompanying exception tracking
and approval process that involves IT, Security and business executives tend to have fewer
instances where generally-accepted controls are either not properly deployed on all critical systems,
or are removed from service once deployed, often to reduce the cost of security. And, organizations
that take a more formal approach to vendor risk management have a much lower incidence of
vulnerabilities or breaches involving vendors and vendor staff. These programs are characterized by
less reliance on self-assessment, and more reliance on rigorous, formal processes that periodically
inspect the full spectrum of people, process and technology controls.
Lastly, organizations that utilize different internal groups and third parties to periodically test all critical
applications, systems and networks, routinely identify and eliminate latent risks more quickly, and
therefore suffer fewer attacks and data breaches than organizations that fail to effectively use these
protective measures.
HOW EXPERIS CAN HELPExperis is a global leader in professional resourcing and project-based workforce solutions.
We accelerate organizations’ growth by intensely attracting, assessing and placing specialized
expertise in IT, Finance and Engineering to precisely deliver in-demand talent for mission-critical
positions, enhancing the competitiveness of the organizations and people we serve.
9
Experis maintains a dedicated Information Security Center of Expertise that employs seasoned
security practitioners that collectively have experience across a broad range of security topics,
client environments and industry-specific requirements. The Experis Information Security Center of
Expertise helps organizations meet the security challenges posed by continuously changing and
expanding operational environments. This ongoing evolution challenges organizations to protect
their information assets while trying to meet an increasingly complex set of industry and regulatory
requirements. Experis has assisted a broad range of clients across all industries with practical
information security solutions that help them effectively and securely conduct business while
controlling costs. Our specialized group of individuals delivers security-related services ranging from
information security program strategy development, risk analysis and control determination, to PCI
assessments, penetration testing, and ASV scanning. Brief descriptions of some of our services
that are particularly relevant to this area include:
• Security Strategy and Roadmap Development – Experis assists clients by reviewing their existing
security programs to identify strengths and weaknesses in how information security is practiced,
and opportunities for improvement. During a typical program review, we assess the organization’s
current people, process and technology capabilities, and then define a strategic roadmap to
evolve the organization to a rational future state.
• Vulnerability Assessments and Penetration Tests – Experis maintains an “in-house” capability
that performs vulnerability assessments and penetration tests for external and internal networks,
wireless, and applications. Our experienced team works with clients from all industries to
provide an exercise that fits their specialized needs. Our reports provide detailed analyses of
the identified areas of weakness and implementable recommendations. We maintain a Virtual
Security Test Center that contains publicly available and commercially licensed tools that are
re-evaluated annually.
• Vendor Risk Management (VRM) – Experis supports client vendor risk management needs
by providing staff that are skilled in the review and re-engineering of existing VRM programs
to make them more effective and efficient. We also are adept at creating entirely new VRM
programs that are tailored to meet the specific needs of the client vendor environment, with
associated assessments, metrics and reports that ensure appropriate oversight.
• Technology Specifications – Experis supports our clients with the development and deployment
of technology and information profiles, which are recognized as a fundamental requirement for a
well-designed and well-managed security infrastructure. We are adept at determining appropriate
identification, classification and labeling of assets, and specifying controls for information handling,
storage, processing and transmission.
• Policies and Procedures – Experis regularly reviews clients’ security policies, procedures and
guidelines to determine their adequacy in reducing risks within each client’s environment.
We utilize industry standards and applicable legal, regulatory and contractual requirements to
determine the specific constraints the security organization must respond to in establishing
and maintaining their company’s information security controls.
SECURITY BREACHES – IS ANYONE SAFE? 10
• Security Integration – Experis assists our clients in the identification and mitigation of specific
business risks associated with their technology infrastructure, and we also help ensure they
understand the costs and potential impacts to daily operations and personnel. We also provide
assistance with the evaluation and design of technology migration strategies, remote access
solutions, access controls and various networking security monitoring solutions.
The Experis Information Security Center of Expertise can rapidly deploy security professionals
and services to meet any demand. Experis’ security professionals hold advanced degrees and
industry leading certifications such as CISSP, CISM, C|EH, QSA, ASV, PCIP, CISA, and CISM.
Many participate in, or hold leadership positions across industry recognized associates and
present at conferences, colleges, and government functions. For all our services, Experis brings
a combination of proven and practical methodologies, customized for the client with innovative
enhancements that offer a unique perspective. By using industry-accepted security frameworks,
Experis develops a baseline for increasing functional accountability for each client’s business
environment. Whether providing security resources or full services, we produce results that fit
our client’s business and security objectives now and into the future.
11
References
[1] https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-
2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
[2] http://www.nytimes.com/2010/02/02/business/global/02hacker.html?pagewanted=all&_r=2&
[3] http://www.npr.org/blogs/money/2011/06/20/137227559/how-to-buy-a-stolen-credit-card
[4] http://www.esecurityplanet.com/prevention/article.php/3638886/Hacking-for-Profit.htm
[5] http://money.cnn.com/2012/01/16/technology/zappos_hack/index.htm
[6] https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf
[7] https://www.recordedfuture.com/russia-ukraine-cyber-front/
[8] http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access-200-
million-consumer-records/
[9] http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-
a3a67f183883
[10] http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_
basic_network_segmentation_error
[11] http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
[12] http://www.bloomberg.com/video/how-much-did-target-s-data-breach-finally-cost-
D6UeXVh1QZOjCwXMhh58BQ.html
[13] http://www.cnbc.com/id/101293579
[14] http://www.emc.com/collateral/other/emc-trust-curve-es.pdf
[15] http://blogs.marketwatch.com/behindthestorefront/2014/02/26/two-months-after-damaging-
data-breach-target-stock-has-its-best-day-in-5-years/
[16] http://www.bloomberg.com/video/how-much-did-target-s-data-breach-finally-cost-
D6UeXVh1QZOjCwXMhh58BQ.html
EXPERIS • 100 MANPOWER PLACE • MILWAUKEE, WI 53212 • USA
WWW.EXPERIS.COM
© 2014 MANPOWERGROUP. ALL RIGHTS RESERVED.