As the volume of online transactions has gone up, so has the volume of data breaches that organizations face. Non-compliance to norms is obviously a leading reason for the occurrence of data breaches. In our own experience with PCI Forensic Investigation (PFI) projects in 2018, we found that as far as breaches at the network level were concerned, 62 percent of organizations were non-compliant at the time of breach. This essentially meant that they had not properly configured the network layer, thereby making room for intruders to attack. Even for breaches concerning access control, 63 percent of organizations were found to be non-compliant at the time of breach; which means that there were no proper access controls implemented and configured.
Most organizations had a fairly large “window of vulnerability” or a phase during which a system, environment, software, and/or website could potentially be exploited by an attacker. The best way to reduce the window of vulnerability is to implement and monitor standard security controls as prescribed by the PCI DSS. Testing your security through traditional means like penetration testing and vulnerability scanning is a great place to start.
Breaches can occur through a variety of different modes. In our own experience, we found that 25 percent organizations were breached through remote access, which happens to be one of most common hacking vectors. 41 percent of organizations were breached through malicious code, which entered the system through cross-site scripting (XSS) and other methods. Also, 70 percent of organizations had memory-scraping malware on their system. Also, while 90 percent of organizations did have firewalls in place at the time of compromise, at least 15 percent of these did not meet PCI requirements.
Overall, some of the common ingress points that stood out were vulnerable public facing servers or applications, mail servers (through malicious email attachments sent to employees), and common users in a poorly segmented environment. Also, one of the most common routes for data to be compromised is through single EDC terminal POS systems for small merchants/stores. These often get infected with credit card sniffing malware with some unauthorized software installs. We also saw some more sophisticated hacks, for instance, in the case of some banks where adversaries breached the vulnerable points of the banking environment by moving laterally to gain access to the critical server in banking environment.
If we look back as the past year, there are some valuable lessons that organizations can take away to better protect their precious organizational data from being compromised:
Before we can get down to the task of protecting the data, the first step is for the organization to have an accurate view into the data that it holds. In our experience, for example, 38 percent of organizations did not know that certain data existed in their systems. Unless organizations have the visibility into their data and are aware that they might potentially be storing data that is prone to compromises, they will do precious little to protect it. On average, SISA finds 25,654 card records being at risk in each case that we analyze.
In general, most organizations are complacent about monitoring data and fail to detect signs and patterns that point to malicious activity. Most intruders take at least a year to successfully breach an organization. During this time, continuous monitoring of logs can help detect anomalies that point to possible breaches. Yet, 95 percent of organizations failed to detect these incidents in our experience.
Incident Response and Forensics
In the aftermath of a breach, 80 percent of organizations don’t know what do when an incident happens and how to do forensic analysis. Preparedness for such an event is essential both to prevent future breaches as well as to understand the extent of damage.
Organizations often don’t prioritize the task of updating latest patches and upgrading older versions of operating systems. As a result, we find that the average organization is vulnerable for 300 days; which is certainly a large enough window for a breach to occur. Being conscientious about timely patch updates can help reduce vulnerability to a large extent.
Mr. Dharshan Shanthamurthy, Founder CEO at SISA, had presented these issues in detail at the PCI Standards Security Council event in New Delhi scheduled on March 13, 2019, for the session titled “Technology and Payments – Lessons Learned from Data Breaches in 2018”.
SISA also organized a webinar on the topic on March 28, 2019. The webinar provides an insight in payment data breaches investigated by SISA in 2018 and details out the common ingress points, lateral movement, and egress of a compromised environment. (YouTube Video Link)
The webinar covers an extensive view on the forensic cases (PFI and IFI) finding, lesson learned, and improve on the threat hunting process to minimize the data compromise.