Thursday, April 21, 2011

Data Breaches: Inside the 2011 Verizon Report

Hackers targetting Smaller Targets & Security Gaps

The number of compromised records resulting from data breaches dropped dramatically in 2010, falling from 144 million in 2009 to just 4 million, according to Verizon's newly-released 2011 Data Breach Investigations Report.

The decrease, which reflects only the incidents across all industries that Verizon and its partners investigated -- not the entire universe of data breaches -- still reveals a promising trend, Verizon says. It builds on the drop in compromised records noted in 2008's report, when compromised records totaled 361 million.

The less promising trend: This year's report includes 761 data breaches, which is the highest caseload ever included in Verizon's 7-year-old annual report. That figure nearly matches the entire six-year total of 900 breaches logged from 2004 to 2009.

But the 2010 report does include more global information, which increased the number of breaches Verizon reviewed. Information provided by the National High Tech Crime Unit of the Netherlands Policy Agency accounted for one-third of the cases reviewed in the report. And for the second consecutive year, the U.S. Secret Service also collaborated with Verizon, providing information about domestic breaches it has investigated.

Among some of the report's key findings:
  • Hacking, at 50 percent, and malware, at 49 percent, are the most prominent types of attack, with many incidents involving weak or stolen credentials and passwords;
  • Physical attacks, such as skimming at ATMs, pay-at-the-pump gas terminals and POS systems, for the first time rank among the three most common ways to steal information, comprising 29 percent of all investigated cases;
  • Outsiders are responsible for 92 percent of breaches, while the percentage of insider attacks dropped from 49 percent in 2009 to 16 percent in 2010.
Attacks Remain Easy

According to the report, 83 percent of the databases hit in 2010 were targets of opportunity; 92 percent of the attacks were classified as "not highly difficult."

"It is important to remember that data breaches can happen to any business, regardless of size or industry, or consumer," says Peter Tippett, Verizon's vice president of security and industry solutions. "A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure."

Some relevant statistics:
  • 86 percent of the year's breaches were discovered by third parties;
  • 97 percent were avoidable through simple or intermediate controls;
  • 89 percent of the corporate or organizational victims were not compliant with the Payment Card Industry Data Security
Standard at the time of the hack.

"Unfortunately, breaching organizations still doesn't typically require highly sophisticated attacks," Verizon states in a summary of the report. "Most victims are a target of opportunity rather than choice, the majority of data is stolen from servers, victims usually don't know about their breach until a third party notifies them, and almost all breaches are avoidable [at least in hindsight] without difficult or expensive corrective action."

Top threats remain unchanged. Hacking and malware are to blame for increases in external threats, the report finds. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. And the percentage of breaches linked to physical attacks, such as card compromises at ATMs and POS devices, doubled from 2009 to 2010.

With the addition of 2010 data, the Verizon data breach series spans seven years and includes more than 1,700 breaches with more than 900 million compromised records.


Focus on Controls: Don't make the mistake of focusing only on high security in certain areas. Businesses are much better protected if they implement essential controls across their organizations;

Store Essential Data: Only store what you need and ensure data that must be stored is monitored and secured;

Limit Remote Access: Restrict access to specific IP addresses and networks, and ensure access to sensitive information, even within the network, is limited;

Audit and Monitor Users: Monitor users through pre-employment screening, limit user privileges and establish separate duties. Managers should provide direction and monitor employees, ensuring security policies and procedures are followed;

Watch Event Logs: Don't get bogged down by the minutia. Monitor and mine event logs for obvious anomalies. Reduce compromise-to-discovery time to days, rather than weeks;

Bolster Physical Security: Monitor every device that accepts payment cards, including ATMs and pay-at-the-pump gas terminals, for tampering and manipulation.

For more insight on the 2011 Verizon Data Breach Investigations Report, please see: Data Breaches: Inside the 2011 Verizon Report.

No comments: