The 2012 Verizon Breach Investigation Report is out and I have attempted to summaries all 80 pages below.
The study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service.
The introduction states,
The online world was rife with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks. While these activities encompassed more than data breaches (e.g., DDoS attacks), the theft of corporate and personal information was certainly a core tactic. This re-imagined and re-invigorated specter of “hacktivism” rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior.
It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property. We certainly encountered many faces, varied tactics, and diverse motives in the past year, and in many ways, the 2012 Data Breach Investigations Report (DBIR) is a recounting of the many facets of corporate data theft.
It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets
Who is behind the data breaches? See below:
|98% stemmed from external agents (+6%)|
|4% implicated internal employees (-13%)|
|<1% committed by business partners (<>)|
|58% of all data theft tied to activist groups|
- Outsiders are still dominating the scene of corporate data theft
- Organized criminals were up to their typical misdeeds and were behind the majority of breaches in 2011
- Activist groups created their fair share of misery and mayhem last year as well and they stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches
- Insider incidents declined yet again this year to a comparatively scant 4%
How do breaches occure?
|81% utilized some form of hacking (+31%)|
|69% incorporated malware (+20%)|
|10% involved physical attacks (-19%)|
|7% employed social tactics (-4%)|
|5% resulted from privilege misuse (-12%)|
- Incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records.
What commonalities exist?
|79% of victims were targets of opportunity (-4%)|
|96% of attacks were not highly difficult (+4%)|
|94% of all data compromised involved servers (+18%)|
|85% of breaches took weeks or more to discover (+6%)|
|92% of incidents were discovered by a third party (+6%)|
|97% of breaches were avoidable through simple or intermediate controls (+1%)|
|96% of victims subject to PCI DSS had not achieved compliance (+7%)|
- Findings from the past year continue to show that target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.
- Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained.
- Most breaches were avoidable without difficult or expensive countermeasures. Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations.
While at least some evidence of breaches often exists, victims don’t usually discover their own incidents.
Percent of relevant organizations in compliance with PCI DSS requirements based on post-breach reviews conducted by Verizon IR team is below
- Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations
- 96% of victims subject to PCI DSS had not achieved compliance
- organizations both large and small seem to struggle the most with requirements 3, 7, 10, and 11.
- When looking at the numbers on a year-over-year basis they see mixed progress:
- Improved, Requirements 1, 2, 6, 7, and 9
- Declined, Requirements 3, 5, 8, and 11
- Remained the same, Requirements 4, 10, and 12
- The most significant improvement was Requirement 1 (+11%) “Install and maintain a firewall configuration to protect data.”
- The most significant decline was Requirement 5 (-24%) “Use and regularly update anti-virus software”.
Verizon’s conclusions and recommendations
“Creating a list of solid recommendations gets progressively more difficult every year we publish this report. Think about it; our findings shift and evolve over time but rarely are they completely new or unexpected. Why would it be any different for recommendations based on those findings? Sure, we could wing it and prattle off a lengthy list of to-dos to meet a quota but we figure you can get that elsewhere. We’re more interested in having merit than having many.”
See the Verizon 2011 Payment Industry Compliance Report summary here