by Dave Hylender and Christopher Porter

A week or so ago, we posted a quick heads up about the UK Security Breach Investigations Report. Although several others have been released since then (Mandiant and Trustwave), this one is particularly interesting for comparison to our DBIR because it focuses on breaches in the UK (Note – the DBIR caseload has a US-based majority but a sizeable (growing) number of European (and other global) breaches). Although we often hear comments that suggest that breaches in the US are radically different and thus not comparable to those elsewhere, this report seems to suggest otherwise. The following is a high-level comparison of DBIR findings to the 7Safe report from the UK.

As an FYI, the scope of the 7Safe report is 62 cases over a time period of the last 18 months.

It would appear that their sample skews more toward smaller businesses than does the DBIR.

The top 2 industries breached in the 7Safe report were Retail (69%) and Finance (7%). The 2009 DBIR shows the same order with different percentages (31% retail and 30% financial services).

The 7Safe report uses classifications for breach source that are very similar to the DBIR.  It also shows remarkably similar results. Both reports rank external attacks as most common (7Safe 80%, DBIR 74%), followed by partner (7Safe 18%, DBIR 32%), and internal attacks being last (7Safe 2%, DBIR 20%).  It’s worth noting that this is not the first non-DBIR dataset that shows similar findings (see the comparison to DatalossDB in the appendix of our 2009 Supplemental DBIR).

The comparison of the origin of attack is a bit difficult since the DBIR lists regions and they provide specific countries. The reports show both similarities and differences. As might be expected, 7Safe showed a larger percentage of attacks from Western Europe. Both report a sizeable proportion of attacks from North America (USA was #1 in the UK report). The most noteworthy differences are that the 7Safe report lists a much larger percentage of attacks from Southeast Asia (Vietnam + Singapore + Indonesia) than the DBIR (3/90 breaches) and total absence of attacks originating from East Asia (ie, China).

The most common methods of intrusion look familiar. We’ve heard changing default passwords is key.

The 7Safe report has a slightly different scale of measuring attack difficulty but it seems clear that like the US, the majority of attacks are not complicated. 27% rated as “sophisticated” compared to the 17% of attacks rated “highly difficult” in the DBIR.

It’s rather amazing that the top 5 non-compliant PCI DSS requirements from 7Safe are the exact same as the top five in our caseload. Given the odds of that happening (pick the same 5 from a sample of 12), there’s probably a lesson to pay attention to here.

Both sets have the majority of data breached at less than 100K.  There are fewer cases in the 7Safe findings that are greater than 100K (14%), but there are some.

We like that 7Safe includes what environment the data resided or where it was stored or processed. 46% of breached assets were in a shared hosting environment, 43% in a dedicated hosting environment and 11% in an internal office environment. As of last year, we started tracking the same metric and it will be included in the 2010 DBIR.

To wrap up, it is interesting how similar most of the findings are across the pond to what we see in our own back yard. Modern business does not really respect national boundaries and it seems that modern criminals don’t either. Our report, along with 7Safe’s and others, are important to remind organizations that we all face a common enemy who often uses similar weapons against us. This sharing of what we learn is critical to our collective ability to protect the interests and assets of our organizations.

This entry was posted on Tuesday, February 16th, 2010 at 9:56 pm and is filed under 2009 Data Breach Report, Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.