Data Loss: The Ultimate Cluestick
One of the most clueful and well-informed reports on how hackers are stealing company data these days was published this week by Verizon, which examined more than 500 data breaches that they investigated over the past few years.
In a nutshell, Verizon found that when it comes to security, companies are too trusting of their core business partners, far too complacent with their own internal security, and too willing to violate their own security policies.
While those high-level conclusions may seem obvious, some of the numbers behind those findings bear highlighting. For example, Verizon found that in nearly half of the attacks, it took the bad guys between hours and days to reach the data they were after. In addition, Verizon found that 63 percent of the victims didn't realize they'd been hacked until months after the compromise.
Peter Tippett, vice president of risk intelligence for Verizon Business, said these stats highlight both an endemic problem and a positive development.
"Just three to four years ago, almost all the attacks we saw were done in a minute or two, a single step. In those days, your managed service provider or [intrusion detection system] would tell you that an attack had just happened and that the ship is about to sink," Tippett said. "The good news is that all we need to do is trip up the bad guy at any one stage of the attack to stop it."
The fact that organizations may have more time to detect today's attempted cyber intrusions breaches may be good news, but really only if the target is actually looking for signs that someone is trying to break in. Verizon notes that in 82 percent of the cases examined in the study, the raw evidence for the break in was sitting unheeded in the company's network traffic and activity logs.
So if victims aren't paying vigilant attention to the warning signs, how do they ever figure out they're hacked? Usually, it's when their data shows up on online forums that cater to identity theft. The report notes that in 70 percent of the cases, victims first learned of the compromises from third-parties, such as affected customers, banks or law enforcement agencies.
In 79 percent of the cases, Verizon found that a contributing factor to the data breach was a violation of the victim's own security policies -- such as weak/nonexistent passwords -- where the company failed to follow its own rules.
The report also concluded that while victims are often compromised via weaknesses in defenses at third-party business networks, the long-held notion that insiders are responsible for the majority of data thefts is simply no longer true.
In 39 percent of intrusions examined in the report, the point-of-entry implicated some security weakness in the victim's business partner - a less secure partner that was granted some kind of network or system access to the victim. While the threat from business partners was significant, Verizon also found that data compromises were considerably more likely to result from external attacks than from any other source: Nearly three-quarters of the cases yielded evidence pointing outside the victim organization as the source of the breach.
From the report:
"It is widely believed and commonly reported that insider incidents outnumber those caused by other sources. While certainly true for the broad range of security incidents, our caseload showed otherwise for incidents resulting in data compromise. This finding, of course, should be considered in light of the fact that insiders are adept at keeping their activities secret. For others, the real surprise may be that the ratio of external to internal is so slim. In days long past when mainframes ruled the computing world, internal threats were the predominant concern. Ever since outsiders joined the network, however, external attacks (not incidents) have vastly outnumbered those from insiders."
While the security news media (present company included) often focuses on the latest and scariest techniques that cyber crooks can use to break into systems, Verizon found that the methods used in most of the data breaches it examined were mind-numbingly boring and not terribly sophisticated.
In nearly 85 percent of the data breaches, the attackers broke in either by searching randomly for entities with specific application or network weaknesses, or they were targeted because they were known to be running a certain class or configuration of vulnerable software or hardware that the attackers knew how to exploit. More than half of the exploits used fell into Verizon's low sophistication category.
"If you asked us several years ago about the complexity of these cases, by and large every new case showed us something new...we almost looked forward to every case," said Bryan Sartin, director of investigative response at Verizon Business. "Now, we're getting to the point where [determining the method of break-in] is the most boring part of the job, where we can take a look at the victim's network diagram and can reasonably conclude where the point of compromise lies. And it's usually the path of least resistance."
There is plenty more depth and detail in the full report, available here (PDF).
June 13, 2008; 3:46 PM ET
Categories: Fraud , From the Bunker , Safety Tips
Save & Share: Previous: Opera 9.5 Offers Anti-Malware Protection
Next: Anonymous Domain Sales: A Spammer's Delight
The comments to this entry are closed.