By Peter Tippett and Wade Baker

Studies are useful to help us to learn what works and what does not. Studies of other’s experiences, such as The Verizon Business 2008 Data Breach Investigations Report, are especially instructive. But most of us crave to actually understand why events play out as they do, and to be able to accurately predict what the results of those studies will be. Risk models can be very useful in driving our understanding.

(more…)

Bryan Sartin, Director of Investigative Response for Verizon Business Security Solutions, was recently interviewed by Michael Johnson at PodTech. Visit the links below to listen.

(more…)

By Wade Baker

After a long working session on the “Data Breach Investigations Report”, my co-authors and I decided a lunch break was in order. Mealtime conversation meandered through a diverse range of topics and eventually settled on the recent movie “No Country for Old Men.” Dave, a bit more of film connoisseur than Andrew or I, gave it five stars. Although I appreciated the cinematography and acting, I didn’t think it lived up to all the hype it received. I believe Andrew’s sentiments were similar. We did, however, unanimously agree on one thing: if a stranger walks up to you with a tank of compressed air and tries to press a strange metal apparatus to your forehead, it’s best not to just stare blankly and let that happen.

Although they rarely look so freakishly suspicious, findings from the report remind us that a dose of healthy caution when dealing with business partners might not be a bad idea either. (more…)

One of the more commonly referenced findings from our “2008 Data Breach Investigations Report” is that 87% of breaches could have been avoided if “reasonable security controls” had been in place at the time of the incident. As this statistic filters through the press and blogs, some are suggesting our use of the term “reasonable” has legal implications, or refers to controls that are “extravagantly hard” to implement. Such interpretation is simply not justified, and we’d like to set the record straight.
(more…)

How much better is it to have a world-class patching process compared to an average one? Could it ever be detrimental to patch too fast? And what does patching have to do with cholera? Two earlier Verizon Business Risk Team Studies shed more light on this subject.

The recently published “Verizon Business 2008 Data Breach Investigations Report” describes characteristics of more than 500 computer crime investigations performed over the past four years. Our data shows that in only 18% of cases in the hacking category (see Figure 11) did the attack have anything to do with a “patchable” vulnerability. Further analysis in the study (Figure 12) showed that 90% of those attacks would have been prevented had patches been applied that were six months in age or older! Significantly, patching more frequently than monthly would have mitigated no additional cases.

(more…)

At considerable investment in time and resources, Verizon Business began an initiative in 2007 to identify a comprehensive set of metrics to record during each data compromise investigation. As a result of this effort, we pursued a post-mortem examination of over 500 security breach and data compromise engagements between 2004 and 2007 which provided us with the vast amount of factual evidence used to compile this study. This data covers 230 million compromised records. Amongst these are roughly one-quarter of all publicly disclosed data breaches in both 2006 and 2007, including three of the five largest data breaches ever reported.

(more…)

I used to think that Intrusion Detection Systems (IDS) and Managed Security Services (MSS) were a waste of time. After all, most attacks that I had worked on began, and were over, within seconds, and were typically totally automated. In my mind, an IDS alarm going off, or getting a call from the SOC operator, would be like the captain of a ship getting an alarm such as: “Captain, a torpedo passed through engines #2 and #3, and exited the starboard flank. We will be sinking in seven minutes.”

But the Verizon Business 2008 Data Breach Investigations Report tells a very different story.

(more…)