Most Breaches Caused by Crime GangsNew Verizon Report Cites Organized Crime, Insiders Among Top Trends
These are among the headlines of the 2010 Verizon Data Breach Investigations Report, just released by Verizon Business.
Conducted for the first time in collaboration with the U.S. Secret Service, this year's report takes a broader look at the types and causes of data breaches. The USSS investigated 84 data breaches in 2009; Verizon investigated 57. Over the past six years, this annual report has reviewed over 900 data breaches, encompassing more than 900 million compromised records.
The latest report finds 2009's breaches of electronic records involved more insider threats, greater use of social engineering and the persistent, troubling trend of organized crime involvement. Of the 143 million records breached in 2009, 85 percent of them were attributed to financial service incidents. The one good piece of news: The overall number of breaches declined from those cited in 2008's report.
Wade Baker, director of risk intelligence at Verizon Business and primary author of the report, says working with the Secret Service and combing data sets "offers a wide angle lens look at the data breach, trends and new types of attacks." As in earlier reports, about two-thirds of the breaches in the report have not been disclosed or never will be.
Another key point made in the report: Most of the breaches were considered "avoidable" if only security basics had been followed. Verizon Business investigative experts found that only 4 percent of breaches required difficult and expensive protective measures.
To hear Wade Baker discuss the results of this study, listen to this exclusive interview: 2010 Verizon Data Breach Report: Insiders are #1 Threat.
Inside the NumbersData breaches caused by insiders add up to 48 percent of all breaches investigated -- an increase of 26 percent over 2008. Conversely, breaches caused by external sources were down slightly to 70 percent, dropping from 2008's 79 percent.
Another change: 48 percent of the breaches occurred because of privilege misuse, up 26 percent over the previous report. Malware and hacking held top spots in earlier reports, Baker says.
In terms of industries impacted, financial services made up 33 percent of the cases investigated, followed by hospitality at 23 percent and retail at 15 percent.
Other key takeaways:
- 98 percent of the data breached came from servers;
- 61 percent of the breaches were discovered by a third party;
- 96 percent of the breaches were avoidable via simple or intermediate controls;
- 85 percent of the attacks weren't considered highly difficult;
- Nearly 80 percent of victims subject to the payment card industry data security standard were not compliant.
Global OutlookLooking at global trends, Chris Novak, Verizon Business' managing principal of investigative response, says under-reporting of breaches is common outside the U.S.
"If people think the breach landscape is bad here, the outlook is worse in Europe, Middle East and Africa and Asian markets," he says. "Many of them have much more pervasive and long term breaches, and it is common to sweep them under the rug."
Around the globe, many of 2009's data breaches were driven by economic desperation. "A lot of people with great IT skills are out of work and go to the dark side because they have to live and pay bills," Novak says.
Novak's prediction: Sophistication of malware and "laser-type" attacks on high value targets will only increase. Likewise, he expects that organized crime involvement -- and the sophistication of their attacks -- will increase, and they will be more successful. "It is definitely not going to diminish," Novak says.
Industry ResponseLong embraced as an industry benchmark on data breach investigations, the Verizon report gets extra attention this year because of the collaboration between Verizon Business and the Secret Service.
"I like this combination and collaboration between Verizon Business and Secret Service on data breaches," says Linda Foley, founder and chairman of the Identity Theft Resource Center. "This report is remarkable. It confirms what we saw in the breaches we monitor. It goes much deeper in analysis and provides a lot of insight into criminal behavior in terms of breaches, including insider (sometimes just written off as human error)."
Rick Kam, CEO of ID Experts, a data breach response provider, says the latest report mirrors his own group's finding -- particularly an increase in "hybrid attacks" where external organized cybercriminals work with insiders to implement an effective breach.
Kam adds that cyber criminals are using advanced data mining data techniques to create more complete identities. "They are stealing data from public and private data sources that contain both sensitive financial data, as well as other identifiers like health insurance numbers, diagnosis, personal information from social websites like Facebook, to accomplish this." A cyber breach that looks benign may only be a piece of the identity puzzle organized cyber criminals are creating, he says.
Breach Prevention TipsGiven that 96 percent of the breaches were considered avoidable by simple security controls, the Verizon Business experts recommend these fundamental measures for organizations to ensure protection:
- Back to the Basics -- Make sure your firewalls and routers are configured securely. Set the essential controls, and check them regularly.
- Use Layered Security -- For most organizations, the idea of security architecture resembles a piece of chocolate candy -- crunchy and hard on the outside, and soft and chewy on the inside. "Those soft, chewy centers make it easy for the hacker to move around and collect data undetected," Novak says. Think "jawbreaker" security instead of "chocolate cream crunch" security, he says.
- Monitor and Mine Event Logs -- This is where a breach is uncovered. "Now the discovery of a breach is taking too long, and trends show on data breach timelines that the time to discovery isn't getting better," Novak says. Watch Privileged Activity -- Don't give out excessive rights to your own employees and contractors. "Most give people too many privileges than are needed," Baker says. "Go back to appropriate permissions, and monitor insiders, rather than just trust them," says Baker. One tell-tale sign of possible future insider abuse is that many insiders have a bad history of minor policy violations.
- Watch Outbound Traffic --It's not just what's hitting your firewall from the outside that should concern you, but what's leaving the organization, too.
- Be Prepared to Respond -- Novak compares a data breach incident response plan to a company's fire exit plan, "When the building is on fire, you don't start planning who the fire marshal is, or what the exit strategy is," he says. "You have to have those plans before the fire happens."