In April 2011, Verizon released the 2011 Data Breach Investigations Report, its fourth installment thus far. While many industry insiders ignore these sorts of reports, as vendor-focused or as meaningless statistics, these reports can be a useful indicator of the nature of current threats and recommendations for organizations interested in protecting their networks and systems.
In 2008, Verizon saw a record-setting 361 million compromised records. In 2009, this number dropped to 144 million, and in 2010, less than four million compromised records were reported. Production of the company’s annual Data Breach Investigations Report is assisted by the United States Secret Service (USSS), as well as the Dutch National High Tech Crime Unit (NHTCU). As a result, the company was able to examine 800 new compromise incidents since its last report.
The report revealed that in 2010, the US Secret Service arrested over 1,200 suspects for cybercrime violations. These investigations involved more than $500 million in actual fraud loss and prevented approximately $7 billion in additional losses.
The report uncovered several significant statistics on the parties responsible for data breaches. Investigators found that 92% of data breaches stemmed from external agents, which was an increase of 22% from the previous year’s results. 17% were implicated insiders, a decrease of 31% from the previous year. Less than 1% of data breaches resulted from business partners, a decrease of 10% from 2010. Finally, 9% of data breaches involved multiple parties.
Half (50%) of the data breaches reported utilized some form of hacking, while 49% incorporated the use of malware. 29% of data breaches involved some sort of physical attack. This year, physical attacks made its first appearance in the top three threat agents. Decreasing significantly were breaches which resulted from privilege misuse (17%) and breaches that employed social tactics (11%).
Verizon’s 2011 Data Breach Investigations Report leaves readers with a number of suggestions for improving their security posture. The report suggested that mitigation efforts be focused on the following key areas:
- Eliminate unnecessary data and concentrate on the remaining data
- Ensure essential controls are met
- Assess remote access services
- Test and review web applications
- Audit user accounts and monitor privileged activity
- Monitor and mine event logs
- Examine ATMs and other payment card input devices for tampering
Surprisingly enough, the report concluded that most organizations already know what to do to prevent data breaches from happening. It states in the conclusion,
“… surely after examining another 800 breaches in the past year, we’d have plenty of new recommendations to solve all your security woes, right? Quite wrong, actually. The latest round of evidence leads us to the same conclusions as before: your security woes are not caused by the lack of something new… They almost surely have more to do with not using, under using, or misusing something old.”
The report found that the cost of recommended preventive measures were for the most part “simple and cheap” (63%), only 33% were ranked as “intermediate,” and a mere 4% of preventative measures were classified as “difficult and expensive.” After assessing the top attacks, Verizon identified recommendations, which are categorized below:
- First achieve essential objectives, then focus on surpassing them.
- Change default credentials. Change the password when system or network administrators set up a new system. If this is outsourced to a third party, it is especially important to do so.
- Review user accounts on a regular basis. This should involve a formal process to confirm that active accounts are valid, necessary, properly configured and given appropriate (or least necessary) privileges.
- Restrict and monitor privileged users. Pre-employment screening should be used to eliminate problematic individuals. Users should not be given more privileges than required and separation of duties is essential.
- Secure remote access services where only specific IP addresses or networks are able to access them.
- Monitor and filter egress network traffic.
- Implement application testing and code review.
- Enable application and network witness logs and monitor them.
- Define “suspicious” and “anomalous” and search according to your definitions.
- Change the approach to event monitoring and log analysis.
- Increase awareness of social engineering.
- Train employees and customers to look for signs of tampering and fraud.
- Create an official Incident Response Plan.
- Implement mock incident testing.
This article takes a look at Verizon Business Services’ 2011 Data Breach Investigations Report, released April 2011. The report presents information on data breaches experienced by the company during 2010. The article examines a few data breach trends, such as the source of threats and nature of the attacks. The article also looks at the recommended preventative measures that organizations can take to mitigate data breaches.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Enterprise and information risk management (Domain 2)
- Data security lifecycle (Domain 5)
- Insider abuse (Domain 7)
- Business continuity management/disaster recovery (Domain 7)
- Access control (Domain 12)