To show how quickly a cyber criminal can hack into a database, Travelers’ Cyber Fraud investigative team developed a mock business website built on a common open source platform with a common weakness, or vulnerability, that would make it a prime target for cyber criminals. At a recent event, the team demonstrated how it is possible to hack into the site, download sensitive data and deface the homepage of the site in a matter of minutes.
For the demonstration, Travelers’ Cyber Fraud professional Kurt Oestreicher was able to input a command into the user name and password field, which allowed him to gain administrative access to the website, download the credit card application file and replace the homepage image with a demand for $1 million.
With the advent of hacking kits, including penetration testing tool kits designed to be used to defend a network, hackers are able to quickly identify weaknesses that they can exploit. Understanding those vulnerabilities and how to defend against them can help companies protect their data from thieves who are in search of valuable personal data.
“Computer attacks are not magic,” explains Chris Hauser, a Travelers Cyber Fraud professional and former FBI agent responsible for cyber investigations. “They are a series of discrete attacks taking advantage of certain vulnerabilities.”
An SQL Injection Attack
The Astonishing Furniture mock website, built using the free, open source software program Drupal, features an online application for a store credit card. Here, consumers would enter sensitive information, including their social security number, date of birth and income, which would be stored in a database that is vulnerable to an SQL injection attack.
An SQL injection attack exploits vulnerability in the software where the user inputs data. What the vulnerability in Drupal allowed is for the hacker to enter code in the user name and password field. From there, the hacker could assign an administrative user name and password and execute commands on the server, including downloading sensitive data.
“If we think of Astonishing Furniture as an example of a typical commercial entity, our data shows us they probably do not have a plan in the event of an attack,” says Travelers Cyber Lead Tim Francis, who says that small and mid-sized companies often are the least prepared. “They lack some of the resources and the expertise to adequately prevent against these attacks from occurring in the first place and when these attacks do occur, they are often the least likely to be able to respond.”
A Preventable Problem
“SQL injections are a very common attack mode,” says Hauser, who explains that the attack allows hackers to enter malicious code into a data entry field. “It is considered low-hanging fruit and it is one of the most preventable forms of computer hacking.”
The open source software had identified this vulnerability and issued a “patch” to remedy it, but not all businesses practice timely patch management. As the 2015 Verizon Data Breach Investigation Report found, 10 common vulnerabilities and exposures, or CVEs, accounted for 97% of exploits in 2014. The report also found that 99% of exploited vulnerabilities were compromised more than a year after the CVE became publicly known.
Poor vendor management is in part to blame for failing to catch this preventable hack, according to Mark Greisiger of NetDiligence, which provides data breach crisis services. “Very often, clients are outsourcing their computing to third-party contractors, vendors and clouds, and those entities are having mishaps,” says Greisinger. “These third-party entities are in the care, custody and control of policyholders’ data. Doing due diligence on vendors is becoming more critical in the coming years.”
Implementing a vulnerability management program can help companies systematically defend against known vulnerabilities, rather than respond to one-off threats. Francis also points to employee training and performing a tabletop exercise, in which companies plan out their response to an attack. A breach coach can be an essential part of managing a data event, says Francis, acting as first responders, along with the claims professionals of the carrier, to help the company triage the event.
Cyber insurance can also help companies before an event takes place by helping supply the companies with risk management tools and advice, and access to a breach coach, forensics consultants and other professionals in the data security community who can help with their information security.