Safe Internet Alliance

Guest posted by: Linda Criddle, president of Safe Internet Alliance

Increased insider threats and social engineering tactics, plus heavy involvement by organized crime groups are key findings of the new 2010 Data Breach Investigations Report released by Verizon and in cooperation with the U.S. Secret Service.

The good news is that there were fewer data breaches investigated in 2009 than in 2008 - hopefully this is the start of a downward trend and not an anomaly. 

The bad news is sobering. The study covered 900-plus breaches involving over 900 million compromised records worldwide from 2004 thru 2009. And, the report concludes, "for the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time.  And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes."

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the "Big Three" of industries affected (33%, 23% and 15%, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon's caseload.  A growing percentage of cases and an astounding 94% of all compromised records in 2009 were attributable to financial services.

Excerpt:

The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations.  Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said. 

Verizon Business investigative experts found, as they did in the company's prior data breach reports, that most breaches were considered avoidable if security basics had been followed.  Only 4 percent of breaches assessed required difficult and expensive protective measures.

The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time.  And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.

Key Findings of the 2010 Report

This year's key findings both reinforce prior conclusions and offer new insights. These include:  

• Most data breaches investigated were caused by external sources.  Sixty-nine percent of breaches resulted from these sources, while only 11 percent were linked to business partners.  Forty-nine percent were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.

• Many breaches involved privilege misuse.  Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information.  An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.

• Commonalities continue across breaches.  As in previous years, nearly all data was breached from servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and 87 percent of victims had evidence of the breach in their log files, yet missed it.

• Meeting PCI-DSS compliance still critically important.  Seventy-nine percent of victims subject to the PCI-DSS standard hadn't achieved compliance prior to the breach.  

The State of Cybercrime: 2010

The report said the decline in the overall number of data breaches may be due to a number of factors, including "law enforcement's effectiveness in capturing criminals."  The report cited the arrest of Albert Gonzalez, one of the world's most notorious computer hackers, who pleaded guilty to helping run a global ring that stole hundreds of millions of payment card numbers and who was sentenced last year to 20 years in prison.

"The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime," said Tippett.  "As we are able to share more information through the use of the VERIS security research framework to gather comparative security data such as the caseload of the Secret Service, we believe we will be even better equipped to arm organizations with best practices, processes, tools and services that will continue to make a difference."

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the "Big Three" of industries affected (33 percent, 23 percent and 15 percent, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon's caseload.  A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.

More than half of the breaches investigated by Verizon in 2009 occurred outside the U.S., while the bulk of the breaches investigated by the Secret Service occurred in the U.S.  The report finds no correlation between an organization's size and its chances of suffering a data breach.

"Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size," Verizon researchers noted.

Recommendations for Enterprises

The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits.

These actions include:

• Restrict and monitor privileged users.  The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.

• Watch for 'Minor' Policy Violations.  The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization's policies.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.

• Implement Measures to Thwart Stolen Credentials.  Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.

• Monitor and Filter  Outbound Traffic.  At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization's network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.

• Change Your Approach to Event Monitoring and Log Analysis. Almost all victims have evidence of the breach in their logs. It doesn't take much to figure out that something is amiss and make needed changes.  Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.

• Share Incident Information. An organization's ability to fully protect itself is based on the information available to do so.  Verizon believes the availability and sharing of information are crucial in the fight against cybercrime.  We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.
               
A complete copy of the "2010 Data Breach Investigations Report" is available at http://www.verizonbusiness.com/go/2010databreachreport/.