Customer communications was the significant theme in InfoSec risk intelligence this week. The data breach at Sony’s PlayStation Network took the “kick me” signs away from Amazon for their cloud outage and from EMC/RSA for post-breach communications shortcomings. Apple and, to a lesser extent, Google took a beating over cell phone user tracking—Bob Sullivan at MSNBC has a balanced assessment of the tracking issue. Other intel includes: Iran reported they were the target of another targeted malware attack a la Stuxnet. Unfortunately there’s been no independent confirmation, there is little history of AV expertise among Iranian IT organizations and the geopolitical dynamic cannot be ignored. Google released version 11 of the Chrome browser fixing 25 vulnerabilities and Mozilla updated their products for 18 vulnerabilities.

Here we are again – our fourth installment of the DBIR series (sixth if you count the ’08 and ’09 mid-year supplementals). To our readers, it may seem like the 2010 DBIR published ages ago. To us, it feels more like yesterday. The expanding scope and increasing depth of the report makes it almost one continuous effort throughout the year. It is, however, a labor of love and we’re very glad to be sharing our research into the world of data breaches with you once again.

We are also very glad to have the USSS back with us for the 2011 DBIR. Additionally, we have the pleasure of welcoming the NHTCU to the team. Through this cooperative effort, we had the privilege – and challenge – of examining about 800 new data compromise incidents since our last report. To put that in perspective, the entire Verizon-USSS dataset from 2004 to 2009 numbered just over 900 breaches. We very nearly doubled the size of our dataset in 2010 alone!

With the addition of Verizon’s 2010 caseload and data contributed from the USSS and NHTCU, the DBIR series now spans 7 years, 1700+ breaches, and over 900 million compromised records. We continue to learn a great deal from this ongoing study and we’re glad to have the opportunity once again to share these findings with you. As always, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of our readers. We also hope you just enjoy reading it.

You can grab it here

Adobe announced new surprise targeted attacks on yet another authplay.dll vulnerability in Flash Player, Acrobat and Adobe Reader; the ninth in 2+ years. Adobe has become increasing known for these issues over the last two decades, as Sendmail was in the 90’s and IIS & IE were in the Oughts. Barracuda Networks was the victim of a data breach. That was just Monday. Of course, Tuesday was Microsoft’s turn to drop 17 security bulletins for 64 vulnerabilities. Wednesday, WordPress/Automatic announced they were the victims of a data breach. Thursday, a Reuters “Special Report” took several old anecdotal reports and linked them with unsourced insinuations and innuendo to conclude the Chinese government sanctioned hacker attacks called “Byzantine Hades” alleging they began in 2006. While it might be accurate, it’s analytically impotent. Also on Thursday, Oracle pre-announced 73 vulnerabilities to be fixed in next week’s CPU, Google updated Chrome, and Apple patched iOS, OS X and Safari. Friday, Adobe released patches for Monday’s problems. The good news in this week’s Intel was the takedown of the Coreflood rootkit/botnet infrastructure. It certainly wasn’t boring in the Risk Team this week, yet somehow, the week felt “normal.”

The Verizon Enterprise Risk and Incident Sharing (VERIS) framework provides a common language for describing security incidents in a structured and repeatable manner. The VERIS community application provides the means by which VERIS-classified incidents can be anonymously reported and shared with others. The overall goal is to lay a foundation from which we can constructively and cooperatively learn from our experiences to better manage risk.

The following statistics are based upon 62 incidents submitted to the VERIS community application following its launch in Nov 2010 through mid-January 2011. These results were originally compiled and shared at Mini-Metricon 5.5 on the Monday of the RSA Conference (you can get the full presentation from there).  All values below represent the percent of all incidents reported.

Threat Agents

Well, this distribution looks eerily familiar. Where have I seen it before… Seriously though, it is quite amazing that ALMOST EVERY dataset we’ve examined (the USSS’ ‘07-’09 caseload being the only dissenter) shows a healthy external majority.

(more…)

There are significant risks to the reputations of all companies involved in a data breach, including breaches of information belonging to the customers of other companies.  Customer communications will almost certainly suffer, to some extent, for an indefinite period. The victim will lose money, at least, on the investigation into the breach and probably due to lost business or customers, legal and regulatory costs.  Recently,Epsilon, Silverpop and ReturnPath have been the victims of this type of breach. The RSA breach demonstrates the necessity for comprehensive security architecture and awareness training at all levels to guard against spear phishing.  Microsoft will be issuing 17 security bulletins addressing 64 vulnerabilities on Tuesday and headlines of impending doom are already being fabricated. Apocalyptic headlines about Epsilon pushed Lizamoon off the virtual front page and the upcoming Patch Tuesday is already replacing Epsilon. While headlines say we are constantly facing extinction, we somehow survive.  In the face of barrages of hyperbole-driven technical media and the twitter/blogosphere, Benjamin Franklin’s advice, “believe none of what you hear and half of what you see,” is prescient.

“Second verse same as the first!” It seems fitting somehow that Peter Noone’s memorable contribution to the British Invasion should come to mind the week ending on April Fool’s Day. “Night Dragon” burned the Australian Prime Minister, cabinet and MPs and Inspector Renault visited Oz just in time for “sources” to conjecture the Chinese did it. Then the good inspector visited Facebook and AT&T so a routing glitch could also be blamed on the Chinese (without a shred of proof).  McAfee and SAIC reported the criminals are after our secrets. Really; no foolin’. The NASDAQ breach, first reported in early February, got another chorus when Business Week reported the NSA is on the case. IEEE (a professional organization several members of the Risk Team belong to) reported a credit card breach. The World Health Organization says the world isn’t ready for a pandemic. Trend took down a botnet. Anonymous DDoS’d a site related to the music industry. OB 4/1: None of the above is a joke; tedium isn’t very funny. “I’m Henery the Eighth….”