2009 DBIR: Compromised Assets
Peter TippettApril 14th, 2009
Figure 25 in the 2009 Data Breach Investigations Report (p30) shows that for the big computer crime cases in 2008, the vast majority involved data from servers (Online Data 94% of cases). In only 17% of all cases were End-User Systems involved in any part of a target. In only about 1% of cases (one case out of 90, Figure 16) were End-User Systems part of the attack pathway. The very same data, when viewed by the percent of records lost, shows that 99.9% of records were taken from servers, while just 0.01% of the records were taken from End-User systems. Wow!
Other parts of the report corroborate this data. For example less than 8% of all cases had anything to do with anyone getting malicious code from internet browsing, none had anything to do with smart phones, one involved a USB memory stick (but its use wasn’t germane to the success or failure of the attack).
I would guess that most organizations spend more than half of the “security budget” on software, services, programs, activities, etc, that relate to security of end user systems and related items. The data would suggest that if we are spending to resist “the big one” we should be spending 12:1 or 20:1 or 1,000:1 more money on our own IT staff, work discovering which servers (not desktops see Fig 30) contain our sensitive data, finding connections we forgot about, hardening servers, addressing default passwords, partner connections, etc. In other words, worrying about server-based and network based issues significantly more than end-user issues.
What do you think? Do we have the right dollars going to the wrong mix of projects? What percent of your budget is focused on end-user versus server / network security?
Tags: Computer Crime, Cybercrime, Data Breach Report, Data Breaches, Data Compromise, data-at-risk, end-user devices, forensics, information assets, Information Security, online data, portable media
