Monday, May 2, 2011
In April 2011, just as the massive Sony PlayStation Network data breach panicked media, alerted processors, and aggravated 77 million PlayStation users, Verizon Risk Team released its 2011 Data Breach Investigations Report. This is the fourth report compiled using statistics from Verizon and the second using data from the United States Secret Service. This year the study also includes data from the Dutch High Tech Crime Unit. Verizon has gathered and published data breach investigation reports for seven years, collecting data on more than 1,700 breaches and 900 million compromised records.
Secret Service Agent Robert Novy of the USSS Office of Government and Public Affairs said his agency looks for opportunities to cooperate and share information with the public and private sectors. The Secret Service's mission, in part, is to defend the integrity of the U.S. financial system.
The public-private cooperation is part of the mission of the Secret Service's Electronic Crimes Task Force. The task force is tasked with working with private partners in a cyber crime fighting effort. There are 31 ECTF branches, two of them overseas.
Novy said the Secret Service is sharing "non-attributable data" from 667 data breach investigations in 2010. The goal is to create a report that is easy to understand, has metrics and statistics that emphasize the need for vigilant information technology (IT) security. Novy said he hopes the study will help both the public and private sectors understand where, when and how breaches are occurring while helping to advance detection and prevention strategies.
Novy pointed out that information contained in the Verizon report is applicable anywhere in the world.
The 2011 study includes findings that sometimes even puzzle investigators. For instance, the Verizon study found more data breaches are being reported and investigated than ever before (more than 760 data breach incidents were investigated in 2010), but the volume of data actually stolen dropped dramatically from an estimated 144 million compromised records in 2009 to only 4 million compromised records in 2010. Last year was the lowest volume of data loss since the Verizon data breach reports were started in 2008.
"It is fascinating from a research standpoint that the all-time lowest amount of data loss occurred in the same year as the all-time highest amount of incidents investigated," the authors wrote in the report summary. "In addition to being the largest caseload ever, it was also extremely diverse in the threat agents, threat actions, affected assets and security attributes involved."
The report describes last year's external attacks as "highly automated and prolific." The attacks included using strategies such as low and slow attacks, internal fraud rings, device tampering schemes, social engineering, and other plots to gain access to system-stored information.
The report indicates the incidents of these diverse kinds of fraud are climbing even though the proportion of data breaches in each of the diverse areas (external, internal and partners) to total aggregate data breaches remains the same.
"Ten percent used to mean approximately 10 to 15 breaches across an annual caseload averaging 100 to 150; it now means 75 breaches in the context of the 2010 caseload," the report noted.
Targets of opportunity
According to the report, most data breaches should never have happened or could have been easily prevented. The study stated, "Your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old."
The authors believe the industry must try harder to challenge hackers. "Year after year our data seems to suggest that we are not [making hackers scramble to adapt], and that is something that needs to change," they wrote. "If they adapt, then they adapt. C'est la vie. But let's quit allowing them to find success in stagnation."
The report also found 92 percent of the 2010 data breaches were the result of external attacks. This is a 22 percent increase from 2009. Meanwhile data breaches as a result of insider attacks were down 31 percent but are still the second most common form of data breach at 17 percent.
"[We found] a huge increase in smaller external attacks rather than a decrease in insider activity," the report stated. "Partner-caused breaches continued their steady decline."
Fifty percent of 2010's breaches were the result of hacking (up 10 percent) and 49 percent were from malware (up 11 percent). "Absent, weak, and stolen credentials are careening out of control," it said.
In 83 percent of the attacks the victims were merely targets of opportunity. Most of the attacks (92 percent) had a low level of difficulty. Most of the stolen data (76 percent) was taken from servers. Most breaches (86 percent) were found by third parties, not by the hacked system.
The report claims 96 percent of breaches could have been prevented with simple or intermediate controls. It also found 89 percent of the victims who are required to comply with the Payment Card Industry Data Security Standard were not compliant when they were attacked. The authors concluded, "Almost all breaches are avoidable (at least in hindsight) without difficult or expensive corrective action."
Here are some of the Data Breach Investigations Report recommendations for defending against data breaches:
A copy of the report may be found at www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.