The Green Sheet Online Edition
May 23, 2011 • Issue 11:05:02
Verizon, Secret Service release data breach report
Data breaches, though common, more destructive and more targeted than ever before, can most often be prevented using common, inexpensive security procedures, stated a new report released by the Verizon Risk Team.
In April 2011, just as the massive Sony PlayStation Network data breach panicked media, alerted processors, and aggravated 77 million PlayStation users, the Verizon Risk Team released its 2011 Data Breach Investigations Report. This is the fourth report compiled using statistics from Verizon and the second using data from the Secret Service. This year the study also includes data from the Dutch High Tech Crime Unit. Verizon has gathered and published data breach investigation reports for seven years, collecting data on more than 1,700 breaches and 900 million compromised records.
Secret Service Agent Robert Novy of the U.S. Secret Service Office of Government and Public Affairs said the agency looks for opportunities to cooperate and share information with the public and private sectors.
The Secret Service's mission, in part, is to defend the integrity of the U.S. financial system.
The public-private cooperation is part of the mission of the Secret Service's Electronic Crimes Task Force. The task force is tasked with working with private partners in a cyber crime fighting effort. There are 31 ECTF branches, two of them overseas.
Novy said the Secret Service is sharing "non-attributable data" from 667 data breach investigations in 2010 and pointed out that information contained in the Verizon report is applicable anywhere in the world.
The 2011 study includes findings that sometimes even puzzle investigators. For instance, the Verizon study found more data breaches are being reported and investigated than ever before (more than 760 data breach incidents were investigated in 2010), but the volume of data actually stolen dropped dramatically from an estimated 144 million compromised records in 2009 to only 4 million compromised records in 2010. Last year was the lowest volume of data loss since the Verizon data breach reports were started in 2008.
"It is fascinating from a research standpoint that the all-time lowest amount of data loss occurred in the same year as the all-time highest amount of incidents investigated," the authors wrote in the report summary. "In addition to being the largest caseload ever, it was also extremely diverse in the threat agents, threat actions, affected assets and security attributes involved."
The report describes last year's external attacks as "highly automated and prolific." The attacks included using strategies such as low and slow attacks, internal fraud rings, device tampering schemes, social engineering, and other plots to gain access to system-stored information.
The report indicates the number of these diverse kinds of fraud is climbing even though the proportion of data breaches in each of the diverse areas (external, internal and partners) to total aggregate data breaches remains the same.
"Ten percent used to mean approximately 10 to 15 breaches across an annual caseload averaging 100 to 150; it now means 75 breaches in the context of the 2010 caseload," the report noted.
Targets of opportunity
According to the report, most data breaches should never have happened or could have been easily prevented. The study stated, "Your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old."
The authors believe the industry must try harder to challenge hackers. "Year after year our data seems to suggest that we are not [making hackers scramble to adapt], and that is something that needs to change," they wrote. "If they adapt, then they adapt. C'est la vie. But let's quit allowing them to find success in stagnation."
The report also found 92 percent of the 2010 data breaches were the result of external attacks. This is a 22 percent increase from 2009. Meanwhile, data breaches as a result of insider attacks were down 31 percent but are still the second most common form of data breach at 17 percent.
"[We found] a huge increase in smaller external attacks rather than a decrease in insider activity," the report stated. "Partner-caused breaches continued their steady decline."
Fifty percent of 2010's breaches were the result of hacking (up 10 percent) and 49 percent were from malware (up 11 percent). "Absent, weak and stolen credentials are careening out of control," the report said.
In 83 percent of the attacks, the victims were merely targets of opportunity. Most of the attacks (92 percent) had a low level of difficulty. Most of the stolen data (76 percent) was taken from servers. Most breaches (86 percent) were found by third parties, not by the hacked system.
The report claims 96 percent of breaches could have been prevented with simple or intermediate controls. It also found 89 percent of the victims who are required to comply with the Payment Card Industry Data Security Standard were not compliant when they were attacked. The authors concluded, "Almost all breaches are avoidable (at least in hindsight) without difficult or expensive corrective action."
Here are some of the report's recommendations for defending against data breaches:
- Achieve essential, and then worry about excellent: "We find many organizations achieve very high levels of security in numerous areas but neglect others. Criminals will almost always prefer the easier route. Identifying a set of essential controls and ensuring their implementation across the organization without exception, and then moving on to more advanced controls where needed is a superior strategy against real-world attacks."
- Change default credentials: "Simple and sweet, when system/network admins stand up a new system, change the password. If you outsource this to a third party, check that they've changed the password."
- User account review: "The review should consist of a formal process to confirm that active accounts are valid, necessary, properly configured, and given appropriate privileges."
- Restrict and monitor privileged users: "Don't give users more privileges than they need and use separation of duties."
- Secure remote access services: "In many instances, remote access services have been enabled and are Internet-facing. ... It's important to limit access to sensitive systems within the network. Many organizations will allow any device on the network to connect and remotely access any other device; we highly recommend not managing your devices this way."
- Monitor and filter egress network traffic: "At some point during the sequence of events in many breaches, something (data, communications, connections) goes out that, if prevented, could break the chain and stop the breach. By monitoring, understanding, and controlling outbound traffic, an organization will greatly increase its chances of mitigating malicious activity."
- Application testing and code review: "It is no secret that attackers are moving up the stack and targeting the application layer. Why don't our defenses follow suit? As with everything else, put out the fires first: even lightweight Web application scanning and testing would have found many of the problems that led to major breaches in the past year."
- Enable application and network witness logs and monitor them: "Processes that provide sensible, efficient and effective monitoring and response are critical to protecting data."
- Train employees and customers to look for signs of tampering and fraud: "ATM and pay-at-the-pump tampering/fraud seem to be increasing in number and scope. Organizations operating such devices should consider conducting regular examinations of them."
- Create an incident response plan: "An effective incident response plan helps reduce the scale of a breach and ensures that evidence is collected in the proper manner."
A copy of the report may be found at www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.