IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge

COMPUTER SECURITY COMPUTERS AND NETWORKS WERE ORIGINALLY DEVELOPED TO FACILITATE ACCESS, NOT TO RESTRICT IT. SOFTWARE/HARDWARE SYSTEMS KNOWN AS FIREWALLS ARE OFTEN USED TO PROVIDE CHOKE POINTS FOR COMPUTER SYSTEMS. THEY PREVENT UNAUTHORIZED LOGINS FROM THE OUTSIDE WORLD.THEY PREVENT UNAUTHORIZED LOGINS FROM THE OUTSIDE WORLD. THEY AUDIT THE TRAFFIC ENTERING AND EXITING THE SYSTEM.THEY AUDIT THE TRAFFIC ENTERING AND EXITING THE SYSTEM. THEY MAY BE USED TO BLOCK OUTGOING DATA TO UNAUTHORIZED DESTINATIONS.THEY MAY BE USED TO BLOCK OUTGOING DATA TO UNAUTHORIZED DESTINATIONS. IS /5/13 PAGE 2

IS /5/13 PAGE 3 DENIAL OF SERVICE ATTACKS DENIAL OF SERVICE ATTACKS CONSIST OF THE CONSUMPTION OF A LIMITED RESOURCE, USUALLY NETWORK CONNECTIVITY, IN AN EFFORT TO DENY LEGITIMATE ACCESS TO THAT RESOURCE. IN THIS TYPE OF ATTACK, THE ATTACKER BEGINS THE PROCESS OF ESTABLISHING A CONNECTION TO THE VICTIM MACHINE, BUT DOES IT IN SUCH A WAY AS TO PREVENT THE ULTIMATE COMPLETION OF THE CONNECTION. IN THE MEANTIME, THE VICTIM MACHINE HAS RESERVED ONE OF A LIMITED NUMBER OF DATA STRUCTURES REQUIRED TO COMPLETE THE IMPENDING CONNECTION. THE RESULT IS THAT LEGITIMATE CONNECTIONS ARE DENIED WHILE THE VICTIM MACHINE IS WAITING TO COMPLETE BOGUS "HALF-OPEN" CONNECTIONS.

IS /5/13 PAGE 4VIRUSES A VIRUS IS A COMPUTER PROGRAM FILE CAPABLE OF ATTACHING TO DISKS OR OTHER FILES AND REPLICATING ITSELF REPEATEDLY, TYPICALLY WITHOUT USER KNOWLEDGE OR PERMISSION. SOME VIRUSES ATTACH TO FILES SO WHEN THE INFECTED FILE EXECUTES, THE VIRUS ALSO EXECUTES. OTHER VIRUSES SIT IN A COMPUTER'S MEMORY AND INFECT FILES AS THE COMPUTER OPENS, MODIFIES OR CREATES THE FILES. SOME VIRUSES DISPLAY SYMPTOMS, AND SOME VIRUSES DAMAGE FILES AND COMPUTER SYSTEMS.

IS /5/13 PAGE 5 HOW DO VIRUSES WORK? A COMPUTER VIRUS PIGGYBACKS ON ANOTHER FILE TO INFECT A SYSTEM. WHEN A USER RUNS AN INFECTED PROGRAM, THE COMPUTER STARTS BY COPYING THE PROGRAM FROM THE DISK (OR THE WEB), WHERE IT IS STORED AND INACTIVE, INTO RAM, WHERE IT CAN BE EXECUTED. THE VIRAL CODE BEGINS RUNNING FIRST, WHILE THE INFECTED PROGRAM IS STILL QUIESCENT. THE VIRUS COPIES ITSELF IN A PART OF RAM SEPARATE FROM THE PROGRAM SO THAT IT CAN CONTINUE ITS WORK EVEN AFTER THE USER STARTS RUNNING OTHER SOFTWARE. ITS INITIAL WORK DONE, THE VIRUS PASSES CONTROL BACK TO THE INFECTED PROGRAM. WHEN THE USER RUNS A DIFFERENT PROGRAM, THE DORMANT VIRUS BEGINS RUNNING AGAIN. IT INSERTS A COPY OF ITSELF INTO THE PREVIOUSLY UNINFECTED SOFTWARE SO THAT THE CYCLE OF VIRULENCE CAN REPEAT.

IS /5/13 PAGE 6 FIGHTING VIRUSES VARIOUS TECHNIQUES HAVE BEEN DEVELOPED TO COMBAT COMPUTER VIRUSES. GENERIC ANTIVIRAL PROGRAM FLAGS ACTIVITIES - SUCH AS THE ALTERATION OF CRITICAL SITES IN RAM OR PARTICULAR FILES ON DISK - THAT ARE LIKELY TO ARISE FROM A VIRUS IN ACTION. PREVENTING THESE ILLICIT ACTS WILL NOT ELIMINATE THE VIRUS BUT CAN STOP IT FROM INFECTING ADDITIONAL PROGRAMS OR INTERFERING WITH THE COMPUTER'S NORMAL OPERATION. SIGNATURE SCANNER SEARCHES A USER'S DISKS LOOKING FOR FRAGMENTS OF PROGRAM CODE THAT APPEAR IN KNOWN VIRUSES. ANTIVIRAL SNAPSHOTS CAPTURE MATHEMATICAL "FINGERPRINTS" OF CRUCIAL PROGRAMS AND DATA. SUBSEQUENT CHANGES STRONGLY SUGGEST VIRAL INFECTION. ADVANCED ALGORITHMS CAN USE THE ORIGINAL FINGERPRINTS TO RECOVER A PRISTINE PROGRAM FROM THE VIRUS-ALTERED VERSION.

WORMS WORMS ARE PARASITIC COMPUTER PROGRAMS THAT REPLICATE, BUT UNLIKE VIRUSES, DO NOT INFECT OTHER COMPUTER PROGRAM FILES. WORMS CAN CREATE COPIES ON THE SAME COMPUTER, OR CAN SEND THE COPIES TO OTHER COMPUTERS VIA A NETWORK. WORMS OFTEN SPREAD VIA OR CHAT APPLICATIONS. IS /5/13 PAGE 7

IS /5/13 PAGE 8 PROTECTION AGAINST WORMS STEP ONE A WORM FINDS A TARGET BY SCANNING INTERNET ADDRESSES AT RANDOM UNTIL IT FINDS ONE LEADING TO A LOCAL NETWORK. IT THEN ISSUES REQUESTS TO A LOCAL SERVER PROGRAM, SUCH AS ONE GOVERNING OR FILE EXCHANGES. WHEN THE PROGRAM ANSWERS, THE WORM TRIES TO CRAWL IN. PART ONE: DETECTION STEP TWO WHEN THE WORM ATTACKS A NETWORK PROTECTED BY A DEDICATED MACHINE USING WORM-DETECTION SOFTWARE, SOME OF ITS RANDOM REQUESTS WILL TARGET THAT MACHINES ADDRESSES, WHICH ARE UNLISTED. THE MACHINE CAN THUS DETERMINE, WITH HIGH RELIABILITY, THAT THE REQUESTS ARE HOSTILE.

IS /5/13 PAGE 9 PROTECTION AGAINST WORMS STEP THREE THE DEDICATED MACHINE RESPONDS WITH FAKE SERVICES THAT PRESENT THE WORM WITH THE APPEARANCE OF A NETWORK FULL OF MACHINES AND SERVICES. THE FALSE FAÇADE TRICKS THE WORM INTO REVEALING ITS IDENTITY, SO THAT IT CAN BE TRACKED TO EVERY MACHINE IN THE NETWORK. PART TWO: DISINFECTION STEP FOUR ONCE THE WORM IS CORNERED, ADMINISTRATORS ISOLATE INFECTED MACHINES, CLEAN THEIR FILES OF EVERY TRACE OF THE WORM, AND PATCH THE OUTER WALL OF THE NETWORK SO THAT THE SAME KIND OF WORM CAN NEVER PENETRATE THAT FAR AGAIN.

IS /5/13 PAGE 10 TROJAN HORSES A TROJAN HORSE IS A MALICIOUS PROGRAM THAT PRETENDS TO BE A BENIGN APPLICATION. A TROJAN HORSE PROGRAM PURPOSEFULLY DOES SOMETHING THE USER DOES NOT EXPECT. TROJAN HORSES ARE NOT VIRUSES SINCE THEY DO NOT REPLICATE, BUT THEY CAN BE JUST AS DESTRUCTIVE. ONE TYPE OF TROJAN HORSE, KNOWN AS A LOGIC BOMB, IS SET TO EXECUTE WHENEVER A SPECIFIC EVENT OCCURS (E.G., A CHANGE IN A FILE, A PARTICULAR SERIES OF KEYSTROKES, A SPECIFIC TIME OR DATE).

IS /5/13 PAGE 11 PORT SCANNERS A NETWORKED COMPUTER GENERALLY HAS ONE PHYSICAL CONNECTION (E.G., A CABLE) CONNECTING IT TO THE NETWORK. BEFORE CLOGGING THE NETWORK WITH HEAVY TRAFFIC, TRANSMITTING MACHINES WILL SEND A SHORT MESSAGE TO MAKE SURE THAT THE RECEIVING MACHINE WILL ACCEPT THE TYPE OF MESSAGE BEING SENT, I.E., TO SEE IF THE RECEIVERS PORT FOR THAT TYPE OF MESSAGE IS OPEN. PORT SCANNER SOFTWARE IS USED TO DETERMINE WHETHER A MACHINE HAS ANY OPEN PORTS AND, IF SO, A MALICIOUS SENDER CAN EXPLOIT THAT VULNERABILITY BY FLOODING THE PORT WITH TRAFFIC, CAUSING A BUFFER OVERFLOW IN THE RECEIVERS MEMORY, WHICH CAN CAUSE THE MACHINES MEMORY TO BE OVERWRITTEN WITH BITS THAT CAN ALTER THE MACHINES BEHAVIOR. HOWEVER, THE MACHINE HAS SEVERAL NETWORK PORTS, 16-BIT PREFIXES THAT INDICATE WHAT KIND OF MESSAGES ARE BEING COMMUNICATED ( , FILE TRANSFER, WEB PAGE, ETC.).

IS /5/13 PAGE 12 PACKET SNIFFERS ARE SOFTWARE PROGRAMS THAT INTERCEPT AND LOG TRAFFIC PASSING OVER A NETWORK. PACKET SNIFFERS COMMONLY USED BY NETWORK ADMINISTRATORS TO ANALYZE NETWORK TRAFFIC PROBLEMS AND TO DETECT ATTEMPTS AT NETWORK INTRUSION, THEY CAN ALSO BE USED TO GAIN INFORMATION TO ASSIST SOMEONE WHO WISHES TO INTRUDE, TO SPY ON OTHER NETWORK USERS, AND TO COLLECT SENSITIVE INFORMATION (E.G., PASSWORDS).

IS /5/13 PAGE DATA BREACH REPORT - A 4 Threat Overview: ACTORS

IS /5/13 PAGE DATA BREACH REPORT - A 4 Threat Overview: ACTIONS

IS /5/13 PAGE DATA BREACH REPORT - A 4 Threat Overview: ASSETS

IS /5/13 PAGE DATA BREACH REPORT - A 4 Threat Overview: ATTRIBUTES