« I Was an Anti-MSS Zealot
Patching Conundrum »

2008 Data Breach Investigations Report

Russ Cooper
June 10th, 2008

At considerable investment in time and resources, Verizon Business began an initiative in 2007 to identify a comprehensive set of metrics to record during each data compromise investigation. As a result of this effort, we pursued a post-mortem examination of over 500 security breach and data compromise engagements between 2004 and 2007 which provided us with the vast amount of factual evidence used to compile this study. This data covers 230 million compromised records. Amongst these are roughly one-quarter of all publicly disclosed data breaches in both 2006 and 2007, including three of the five largest data breaches ever reported.

The Verizon Business 2008 Data Breach Investigations Report contains first-hand information on actual security breaches rather than on network activity, attack signatures, vulnerabilities, public disclosures and media interpretation, which typically means information that IT Adminstrators tell them, but in reality, aren’t based on any factual evidence but instead, gut instinct.

It is a given that our data is not intended to state facts regarding all Internet crime or all computer criminal activity, but instead the findings from our own caseload. For instance, 55% of our cases involved the Retail and Food and Beverage industries, while only 14% of our cases involved the Financial Services industry. A study involving a different mix of business may well make other findings. We do believe, however, that given the volume of cases and the time period covered, our findings are significant to any industry.

Further, the reader may note findings that are at odds with commonly held beliefs. For example, only 22% of our cases involved exploitation of a vulnerability, of which, more than 80% were known, and of those all had a patch available at the time of the attack. This is not to say that patching is not effective, or necessary, but we do suggest that the emphasis on it is misplaced and inappropriately exaggerated by most organizations. For the sake of clarity, 78% of the breaches we handled would have still occurred if systems had been 100% patched the instance a patch was available. Clearly patching isn’t the solution to the majority of breaches we investigated.

With this understood, there are a number of important findings worth noting here.

While criminals more often came from external sources, and insider attacks result in the greatest losses, criminals at, or via partner connections actually represent the greatest risk. This is due to our risk equation: Threat X Impact = Risk

  • External criminals pose the greatest threat (73%), but achieve the least impact (30,000 compromised records), resulting in a Psuedo Risk Score of 21,900
  • Insiders pose the least threat (18%), and achieve the greatest impact (375,000 compromised records), resulting in a Pseudo Risk Score of 67,500
  • Partners are middle in both (73 39% and 187,500), resulting in a Pseudo Risk Score of 73,125

While these are rudimentary numbers, the relative risk scores are reasonable and discernable. It is also worth noting that the Partner numbers rose 5-fold over the duration of the study, making partner crime the leading factor in breaches. This is likely due to the ever increasing number of partner connections businesses are establishing, while doing little to nothing to increase their ability to monitor or control their partner’s security posture. Perhaps as expected, insider breaches are the result of your IT Administrators 50% of the time.

While the study does indicate that Asian countries represent the largest number of geo-sources (35%), it strongly refutes the common suggestion that all attacks are coming from China. While we acknowledge that determining the source of an attack strictly from IP addresses is extremely difficult, our investigations don’t stop there and, therefore, are far more reliable than any other study on the topic.

We are continually dismayed at the number of breaches that involve what we term “omission”. An example of omission would be policies being established and thought to be in place, but in fact were not. 49% of all cases involved some form of omission. 66% of all cases involved data the victim did not know existed, or, did not know was being stored where it was.

Other significant findings:

  • Three quarters of all breaches are not discovered by the victim
  • Attacks are typically not terribly difficult or do not require advanced skills
  • 85% of attacks are opportunistic rather than targeted
  • 87% could have been prevented by reasonable measures any company should have been capable of implementing or performing

From our findings, Verizon Business Solutions Powered By Cybertrust offer several basic suggestions to every company hoping to avoid using our Forensic services:

  • Ensure that basic and essential security controls are met across your entire organization consistently, and that these controls are actually implemented as you have stated within your policies. This simple step along removes you from among the low-hanging fruit that represents 85% of the attack targets
  • Know what data you have, what its value is, and where it is stored and being used. You can’t secure something you don’t even know is there, and you won’t secure something unless you recognize its value. Criminals already know where data is being stored by applications that do not make that information obvious to the user/owner of it, so ask your vendors.
  • Monitoring often creates information overload. Simply logging everything through your firewall could create sufficient work for several analysts daily. Be more strategic in your logging solutions and configurations. Heavily log those systems that are critical, or that are storing the critical data criminals want. By being more selective in your logging you may well make it more obvious for your burdened analysts when a criminal is active.

We believe you’ll find the information within this study to be a potential goldmine of data and insight.

Tags: , , , , , ,

This entry was posted on Tuesday, June 10th, 2008 at 1:58 pm and is filed under Studies & Whitepapers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments

  1. 73% + 18% + 39% = 130%. What accounts for the 30% overlap?

    Posted by: Neal Krawetz on June 16th, 2008 at 1:15 pm

  2. This is a question we’ve been asked quite a bit during webinars and other discussions on the study. The answer is that many cases (30%) involved more than one source. For instance, the scenario described in the paper where an external entity compromised a partner and then used the partner’s connection to attack the victim would get a check next to both ‘external’ and ‘partner’ sources. You’ll note that the 30% figure is mentioned on page 2 of the report as being “multiple parties.”

    Posted by: Russ Cooper on June 16th, 2008 at 2:32 pm

  3. [...] Part I of this two-podcast series, Bryan Sartin provides a general overview of the 2008 Data Breach Investigations Report and describes the methodology used to compile the findings of this ground-breaking analytical [...]

    Posted by: Verizon Business Security Blog » Blog Archive » Bryan Sartin on the Data Breach Investigations Report on June 20th, 2008 at 3:59 pm

  4. Posted by: Ma petite parcelle d'Internet... on June 22nd, 2008 at 6:28 pm

  5. The biggest hidden risk of data security involves IT disposal. Often companies rely on electronics recyclers to protect them by destroying data on retired hard drives.

    Sadly, 80% of unwanted US computer equipment is exported to developing countries by these so-called recyclers – often with confidential data still on hard drives.

    As the Verizon study states “criminals prefer to exploit weaknesses rather than strengths.” What could be easier than buying old hard drives from an e-scrap dealer in Nigeria?

    Outsourcing IT disposal makes sense. But if an organization fails to maintain proper oversight, outsourcing actually increases the risks, provides a false sense of security, and is likely the majority of the 90% of breaches that involve some type of “unknown unknown.”

    Kyle Marks
    President & CEO
    Retire-IT, LLC
    kmarks@retire-it.com

    Posted by: Retire-IT on August 5th, 2008 at 8:28 pm

  6. Kyle,

    Given that there are absolutely no known’s in “unknown unknown”, speculating that anything represents the majority of those cases is, well, wild speculation. Honestly, its as likely to be use of graphic card memory for tools or violation of VM boundaries. It could be anything.

    Also, from a risk calculation perspective, the simple cost of purchasing drives, let alone drives from Nigeria, would make this an unlikely option for criminals. It’s far easier to compromise a system electronically via no-cost bots across no-cost network links than to purchase anything from anywhere.

    Regardless whether you agree that IT disposal represents the “biggest hidden risk,” it does represent a risk that should be considered. Local disposal (or loss via 3rd parties) of unencrypted data tapes has been widely reported on, regardless whether that lost data was ever used in a crime. The reputation losses that can incur as a result should make businesses aware there is real risk involved.

    That all said, it has been repeatedly demonstrated that a concerted effort can reassemble data from even the most damaged drives (the Space Shuttle drive data reconstruction being but one example), so if data is going to be left unencrypted on any physical device the furnace becomes your only safe bet.

    Applying data sensitivity identification can mitigate some risk. If your data is valuable for, at most, 6 months then simply keep the old drives that long before disposing of them. If the data has value for a longer period, adjust accordingly. If the storage time becomes too long, or the risk of using 3rd parties for such storage, then encryption becomes a cheaper option (despite it costing more than not using it, providing its cheaper than storing the data.) If, however, your data is sensitive for a period that makes brute force decryption viable, then we’re back to the furnace.

    Personally, I would be more concerned about the entity who accepts the drives directly from me, than from whomever they ship those drives to. That first party has knowledge of who I am and which drives are mine, and therefore are in the position to pick and choose drives that might be valuable. Whoever is receiving these drives in, for example, Nigeria has far less knowledge and ends up having to go through a far greater volume of noise to get to a signal. That alone reduces the likelihood, and therefore the risk.

    We have long recommended that sensitive data should be encrypted at rest. If it is, then it is likely to be encrypted in transit (e.g. via Internet backup or physical tape transfers.) This mitigates many issues brought up in the media, and should satisfy most regulatory requirements. Keeping data encrypted in memory (or while in use by an application) can be desirable and may reduce some specific risks, but has far less overall risk reducing benefits than encrypting at rest.

    None of this is meant to suggest that the outsourcing of IT disposal shouldn’t involve investigating how that entity handles the data/devices, or, that there aren’t differences between providers of such services. All outsourcing should involve investigation of all pertinent details.

    Thanks for pointing this out, Kyle.

    Cheers,
    Russ

    Posted by: Russ Cooper on August 7th, 2008 at 4:37 pm

Leave a Comment

All submissions, like other use of this site, are subject to the Terms of Use. By using the site, I agree to those terms.