Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

United States Secret Service

Verizon 2012 Data Breach Investigation Report – a summary with a PCI DSS view point

The 2012 Verizon Breach Investigation Report is out and I have attempted to summaries all 80 pages below.

The study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service.

The introduction states,

The online world was rife with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks. While these activities encompassed more than data breaches (e.g., DDoS attacks), the theft of corporate and personal information was certainly a core tactic. This re-imagined and re-invigorated specter of “hacktivism” rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior.

It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property. We certainly encountered many faces, varied tactics, and diverse motives in the past year, and in many ways, the 2012 Data Breach Investigations Report (DBIR) is a recounting of the many facets of corporate data theft.

It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets

Who is behind the data breaches? See below:

98% stemmed from external agents (+6%)
4% implicated internal employees (-13%)
<1% committed by business partners (<>)
58% of all data theft tied to activist groups
  • Outsiders are still dominating the scene of corporate data theft
  • Organized criminals were up to their typical misdeeds and were behind the majority of breaches in 2011
  • Activist groups created their fair share of misery and mayhem last year as well and they stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches
  • Insider incidents declined yet again this year to a comparatively scant 4%

How do breaches occure?

81% utilized some form of hacking (+31%)
69% incorporated malware (+20%)
10% involved physical attacks (-19%)
7% employed social tactics (-4%)
5% resulted from privilege misuse (-12%)
  • Incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records.

What commonalities exist?

79% of victims were targets of opportunity (-4%)
96% of attacks were not highly difficult (+4%)
94% of all data compromised involved servers (+18%)
85% of breaches took weeks   or more to discover (+6%)
92% of incidents were discovered by a third party (+6%)
97% of breaches were avoidable through simple or intermediate   controls (+1%)
96% of victims subject to PCI DSS had not achieved compliance (+7%)
  • Findings from the past year continue to show that target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.
  • Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained.
  • Most breaches were avoidable without difficult or expensive countermeasures. Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations.

While at least some evidence of breaches often exists, victims don’t usually discover their own incidents.

Percent of relevant organizations in compliance with PCI DSS requirements based on post-breach reviews conducted by Verizon IR team is below



PCI DSS details from the report

  • Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations
  • 96% of victims subject to PCI DSS had not achieved compliance
  • organizations both large and small seem to struggle the most with requirements 3, 7, 10, and 11.
  • When looking at the numbers on a year-over-year basis they see mixed progress:
      • Improved, Requirements 1, 2, 6, 7, and 9
      • Declined, Requirements 3, 5, 8, and 11
      • Remained the same, Requirements 4, 10, and 12
  • The most significant improvement was Requirement 1 (+11%) “Install and maintain a firewall configuration to protect data.”
  • The most significant decline was Requirement 5 (-24%) “Use and regularly update anti-virus software”.

Verizon’s conclusions and recommendations

“Creating a list of solid recommendations gets progressively more difficult every year we publish this report. Think about it; our findings shift and evolve over time but rarely are they completely new or unexpected. Why would it be any different for recommendations based on those findings? Sure, we could wing it and prattle off a lengthy list of to-dos to meet a quota but we figure you can get that elsewhere. We’re more interested in having merit than having many.”

See the Verizon 2011 Payment Industry Compliance Report summary here

.

Advertisements

Identity Theft Resource Center found that hacking accounted for the largest number of breaches in 2011 year-to-date

The Identity Theft Resource Center® has found that hacking accounted for the largest number of breaches in 2011 year-to-date.

Almost 37% of breaches between January 1st and April 5th were due to malicious attacks on computer systems. This is more than double the amount of targeted attacks reflected in the 2010 ITRC Breach List (17.1%).

ITRC point out that their findings do not include the large Epsilon Email Breach as the full findings were are to be disclosed and the effects seen. The findings will not include the massive Sony Playstation Network breach as this was after the report.

Anecdotally the ITRC in their press release also refer to other pieces of research

  • Symantec Internet Security Threat Report. This report discloses that over 286 million new threats were identified during 2010. Additionally, the Symantec report said they witnessed more frequent and sophisticated targeted attacks in 2010.
  • McAfee found that the most significant threat to businesses was data leaked accidentally or intentionally by employees.

ITRC views employee breaches as two different types of breaches.

1. Accidental breaches are those that happen by employee mistakes, and while they cause harm, the people who made a mistake never intended to injure the company.

2. The insider who intentionally steals or allows others access to personal information is considered a malicious attacker.

“At first it may be difficult to know if a hacking was perpetrated by an insider or outsider,” says Linda Foley, founder of the ITRC and data breach report manager. “ITRC does not have access to the Secret Service’s forensic information has so we can only report on situations when information is released.   As of April 5, 11.6% of 2011 breaches with known forms of leakage were insider theft.  When these events are added to known hacking attacks, ITRC’s breach database report indicates that 48.2% of published breaches are some form of targeted attack.

Businesses are taking the brunt of hacking attacks, according to published reports of breaches. 

  • 53.6% of all breaches on the ITRC report were business related. 
  • The other categories, “Banking/Credit/Financial,” “Educational,” “Government/Military and Medical/Healthcare all dropped in their respective percentage of reported breaches.

Other ITRC finding include:

  • Nearly half of breached entities did not publicly report the number of potentially exposed records
  • Several medical breaches ranging up to 1.9 million records caused a spike in the total records for the health services field.

ITRC was unable to draw any long term conclusions from these initial findings.

For further details of the ITRC visit.

.

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

Verizon logo
Image via Wikipedia

Verizon have released their Data Breach Investigations Report 2011 and as usual with the Verizon report there is a lot to take in.

The investigations by Verizon and the U.S. Secret Service discovered that data breaches had dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008.

 The percentage of internal breaches fell massively from 49% to 16% which the report claim is due to the large increase in external attacks rather than a fall in internal breaches.

Key results from the 2011 report shown in the Verizon press release are below:  

  • Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others.  Businesses are much better protected if they implement essential controls across the entire organization without exception.
  • Eliminate unnecessary data.  If you do not need it, do not keep it.  For data that must be kept, identify, monitor and securely store it.  
  • Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
  • Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties.  Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
  • Monitor and mine event logs.  Focus on the obvious issues that logs pick up, not the minutiae. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.  
  • Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

Verizon Recommendations for Enterprises

  • Large-scale breaches dropped dramatically while small attacks increased.  The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
  • Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources.  Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks.  Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
  • Physical attacks are on the rise.  After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals.  The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
  • Hacking and malware is the most popular attack method.  Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data.  The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
  • Stolen passwords and credentials are out of control.  Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security.  Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Download the report here

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: