The Ongoing Battle Against Breaches

I've seen some interesting security trends develop over the course of 2013 and in to 2014 -- BYOD security management and the increased scrutiny on cloud security to name a couple.

One of the trends that I have found most interesting is the practice of businesses monitoring for employee and customer login credentials, and company devices that have already been compromised. On the surface, this may seem a bit bizarre, but when you look at some recent statistics, the practice begins to make sense. Think about this:

When someone uses the same login credentials across multiple websites, an email or password compromised from one company's data breach can open up vulnerabilities on a multitude of completely unrelated websites. Or consider malware. Antivirus programs are important, but they can't keep up with the rate that malware is evolving (see the 300,000 viruses per day stat, above). We've seen the emergence among businesses of two practices that focus on searching for compromised credentials and devices: monitoring the black market and finding compromised IP addresses.

Monitoring The Identity Black Market:

When a breach occurs, the stolen information is often posted on a site, like PasteBin, that is considered public domain. Some businesses are monitoring these sites for employee and customer credentials. When a compromised credential is found, the business then asks the customer or employee to update his/her password. After the news of Adobe's November breach broke, I received an email request from Eventbrite asking me to change my password.

Proactive monitoring is done in real-time, which means a business can learn that an employee email address or password has been compromised the instant it is posted on a chat room, website or message board. This gives businesses the opportunity to react to the compromised information and subsequently mitigate the impact and risk of that stolen credential. However, the problem extends a bit further if the device the customer or employee is using has, in fact, been compromised. Changing account details and passwords for that matter will not fix the problem, allowing fraudsters to simply re-steal the updated credential.

Identifying Compromised IP Addresses:

In order to adapt to the ever-changing fraud market, the second and newer trend I've seen with business security is identifying company devices with compromised IP addresses. Most compromised credentials are stolen via malware, which is growing at an alarming rate. Most malware does two things: collects information from the compromised device and sends out spam to infect additional computers. Businesses can track and collect different malware strains. Once these malware strains have been collected, they are scanned and analyzed to identify any locations they are communicating with, either sending stolen data back to or receiving additional instructions. In order to identify compromised devices and types of data extracted from those devices, businesses can match up the IP address communicating with the databases the malware is sending stolen information to. It sounds complicated, but it is an automated process that can quickly tell a business if a computer has been infected by malware.

Our software identifies an average of eight million compromised IP addresses every 14 days. The increase of these infected devices has led to the rising availability of malicious underground services. These services, in particular, target legitimate organizations of all sizes in order to disrupt or disable their direct competitors. Distributed Denial of Service (DDoS) attacks, spam campaigns and other underground acts are now more affordable than ever, which poses an even greater risk to businesses and their employees.

I expect to see these two monitoring trends become more prevalent in 2014. Businesses, no mater how large or how much money they invest in system security, cannot keep up with the rate malware is evolving or contend with consumers' bad password habits. Monitoring for compromised credentials and IP addresses are an easy way to identify a potential breach point before extensive damage can be done.