One of the most common questions/criticisms we get regarding the Data Breach Investigations Report is the lack of data on financial losses experienced by organizations in our sample. We can understand the frustration. There are, however, several reasons that the report does not contain such information:

1) A breach investigation focuses on the collection of evidence related to who did it, how, when, what was compromised, etc. Analyzing and quantifying financial losses to the victim organization is simply not what we’re paid to do. Although we do occasionally gather information relevant to the impact of a breach, we do not gather near enough pieces to complete the puzzle. Nor are we on the ground long enough after the breach to truly study the long-term consequences.

2) While we could include the bits and pieces that we collect on losses, we made a decision at the very beginning not to do so. One of the aspects of the DBIR that we (and we hope many others) like is that, from cover to cover, it is filled with objective, credible, factual information. Since we do not collect data of that caliber on losses during an investigation, we do not feel it fits with the rest of the report.

That said, we’re not blind. We realize that breach details along with a credible account of financial losses is the “Holy Grail” of our field. I won’t give away too much now, but let’s just say that we’re actively working on something that may please the masses.

Get it free of charge with no sign-up requirements here.

Creating the single-year sequel to a four-year report on over 500 breach investigations is a daunting prospect. While it would be impossible to trump the sheer scope of the original 2008 DBIR, we’ve sought to preserve its strengths and introduce some key enhancements for 2009. Here is some of what you can expect in this release:

First, you’ll notice the report is quite a bit larger than last year. Hopefully it’s worth the extra disk space (which isn’t saying much given current prices) and/or toner (which *is* saying a lot given current prices). Rather than platitudes and pitches, we’ve worked to fill those extra pages with real substance. Everyone loves data.

(more…)

If you’re thinking “What is the population of the United States near the turn of the millennium?” your collection of trivial knowledge is truly impressive and I wouldn’t want to oppose you in Final Jeopardy. In this case, however, you’d have the wrong answer…er, question. The question we’re looking for here is “How many records were compromised among breaches investigated by Verizon Business in 2008?”.

Yes, you read that correctly. I’m as flabbergasted as you are. We knew the number was big when we recently started combing through last year’s statistics in preparation for the upcoming 2009 Data Breach Investigations Report (DBIR), but I don’t think we quite knew it was THAT big. To put this number in perspective, that means 9 records were compromised for every second that ticked by in 2008 – and that’s just among the cases Verizon Business investigated! To put that in further perspective, you may remember that in the 2008 DBIR we reported a figure of 230 million records from cases we worked between 2004 and 2007.

What happened? We’re currently up to our data-loving eyeballs trying to put together an answer to that question. We will have it to you on April 15 in the form of the 2009 Data Breach Investigations Report…so stay tuned.

Dr. Peter Tippett, VP of Research and Risk Intelligence for Verizon Business Security Solutions, was recently interviewed by Robert Richardson at Information Week about the Data Breach Supplemental Report. Visit the links below to listen.

Listen to Part I

Listen to Part II

By Wade Baker

Today, we released a supplement to our 2008 Data Breach Investigations Report (DBIR) that focuses on four major industry groups. As many of you know, the original document compiled four years of data from over 500 cases worked by our Investigative Response team and was intended to be a kind of “state of the union” look at recent security breach and data compromise trends.

(more…)

By Wade Baker

Since releasing the 2008 Data Breach Investigations Report (DBIR) in June, we’ve frequently been asked some form of the following question: “Do the findings presented in the report differ among industries?” It’s a good question, and one we’re working on answering at length in a supplemental report contrasting the four most frequently breached industries (Financial Services, Tech Services, Retail, and Food & Beverage) using the original dataset. We plan to release the report sometime next month, but would like to give you a sneak peak in this post.

You may remember that the 2008 DBIR considered three main sources, or origins, of data breaches: external, internal and partner. The upcoming supplemental report naturally adopts this same trio of sources. Based on Verizon Business caseload from 2004 through 2007, the figure below depicts the percentage of breaches attributed to internal, external and partner sources for each industry group.

(more…)

By Wade Baker

Our 2008 Data Breach Investigations Report presents statistics on the percentage of breaches involving outsiders, insiders and partners (73%, 18%, and 39% respectively). Public reaction to these statistics runs the gamut from revulsion to revelry. This is especially true with respect to the relatively low percentage of breaches tied to insiders. Some seem to think we’ve blasphemed the sacred doctrines of our trade handed down from on high long ago. Others are glad to see their oft-ridiculed beliefs finally vindicated by objective data. Many in the middle are cautious about drawing conclusions, and are unsure what to make of the statistics.

Which reaction is appropriate? We won’t weigh in on that question; we’ll stick to providing data rather than dictating the reactions of others. We would, however, like to address the underlying questions fueling such reactions – whether these statistics are bogus, biased or believable.
(more…)

How much better is it to have a world-class patching process compared to an average one? Could it ever be detrimental to patch too fast? And what does patching have to do with cholera? Two earlier Verizon Business Risk Team Studies shed more light on this subject.

The recently published “Verizon Business 2008 Data Breach Investigations Report” describes characteristics of more than 500 computer crime investigations performed over the past four years. Our data shows that in only 18% of cases in the hacking category (see Figure 11) did the attack have anything to do with a “patchable” vulnerability. Further analysis in the study (Figure 12) showed that 90% of those attacks would have been prevented had patches been applied that were six months in age or older! Significantly, patching more frequently than monthly would have mitigated no additional cases.

(more…)

At considerable investment in time and resources, Verizon Business began an initiative in 2007 to identify a comprehensive set of metrics to record during each data compromise investigation. As a result of this effort, we pursued a post-mortem examination of over 500 security breach and data compromise engagements between 2004 and 2007 which provided us with the vast amount of factual evidence used to compile this study. This data covers 230 million compromised records. Amongst these are roughly one-quarter of all publicly disclosed data breaches in both 2006 and 2007, including three of the five largest data breaches ever reported.

(more…)

I used to think that Intrusion Detection Systems (IDS) and Managed Security Services (MSS) were a waste of time. After all, most attacks that I had worked on began, and were over, within seconds, and were typically totally automated. In my mind, an IDS alarm going off, or getting a call from the SOC operator, would be like the captain of a ship getting an alarm such as: “Captain, a torpedo passed through engines #2 and #3, and exited the starboard flank. We will be sinking in seven minutes.”

But the Verizon Business 2008 Data Breach Investigations Report tells a very different story.

(more…)