Credential theft out of control
Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security, while stolen passwords and credentials are out of control.
This is according to the 2011 Data Breach Investigations Report from the Verizon Business Risk Team with cooperation from the US Secret Service and the Dutch High Tech Crime Unit. The study now spans seven years and covers over 1 700 breaches involving more than 900 million compromised records.
The 2011 report investigated approximately 760 data breaches and finds that hacking (50%) and malware (49%) were the most prominent types of attack, with many of them involving stolen credentials and passwords.
As in previous years, the vulnerabilities created by conventional access credentials feature among the report's key findings.
Mark Eardley, channel manager at SuperVision Biometric Systems, believes the abuse of traditional access credentials lies the very heart of cyber crime.
“It makes perfect sense that this should be the case. Why? Because anyone can use your password, PIN and your card - and you can use theirs.
“Your IT password, PIN or smartcard is really not much more of a security measure than the pens on your desk. Just like anyone can use the pens, so they can use your password, or your card and PIN. Which is exactly what the cyber villains are doing,” he says.
Cyber black market
With prices reaching $30 000 per account, usernames and passwords are the most common type of records traded on the cyber black market and have the highest per record value, according to Bryan Sartin, Verizon's director of investigative response.
“Apart from the fact that they are shared, lost and forgotten on a daily basis, these antiquated credentials are routinely being exploited by villains who use them to steal sensitive data, vandalise IT systems, make fraudulent EFT payments and commit a multitude of identity frauds,” he notes.
With such statistics, Eardley says corporate cyber crime is widespread, persistent and very much here to stay.
“Given that the barriers to unauthorised IT access are so hopelessly weak, it's hardly surprising that cyber villains are causing such immense losses,” stresses Eardley.
A report by the UK government estimates that in 2010 the cyber theft of UK corporate secrets cost R187 billion.
Last year, one of SA's leading firms of forensic investigators estimated that white-collar crime is costing the country R150 billion a year. And the world's largest study of occupational fraud estimated that organisations typically lose 5% of revenue to insider villains.
“It doesn't matter if you think you might lose R100 or R100 million through corporate cyber crime,” says Eardley. “The fact of the matter is this: it's almost 100% guaranteed that your company's loss will be caused by somebody abusing a password, PIN or card.”
He also maintains that lost, forgotten, shared and stolen password vulnerabilities represent a flaw at the core of IT security. “These are the four fundamental flaws within any IT security solution that is based on passwords, PINs and cards.”
Although costs are repeatedly incurred to renew lost or damaged cards and reset forgotten passwords and PINs, he adds, these incidents do not usually represent a security threat.
“However, because these credentials are so easily transferred between people, they are routinely used to commit the full range of corporate cyber crimes.
“But IT security just will not do anything radical about it. It seems we're immovably tied to our roots and that corporate IT can't drop the access credentials that it was born with some 50 years ago. It's like a drowning blacksmith refusing to let go of his favourite hammers,” he reckons.