Verizon Breach Report: Incidents Are UpHackers Preying Upon Smaller Targets, Security Gaps
The decrease, which reflects only the incidents across all industries that Verizon and its partners investigated -- not the entire universe of data breaches -- still reveals a promising trend, Verizon says. It builds on the drop in compromised records noted in 2008's report, when compromised records totaled 361 million.
The less promising trend: This year's report includes 761 data breaches, which is the highest caseload ever included in Verizon's 7-year-old annual report. That figure nearly matches the entire six-year total of 900 breaches logged from 2004 to 2009.
But the 2010 report does include more global information, which increased the number of breaches Verizon reviewed. Information provided by the National High Tech Crime Unit of the Netherlands Policy Agency accounted for one-third of the cases reviewed in the report. And for the second consecutive year, the U.S. Secret Service also collaborated with Verizon, providing information about domestic breaches it has investigated.
Bryan Sartin, director of investigative response at Verizon and an author of the latest report, says breaches have increased because more hackers are now hitting smaller, less secure databases. "Breaches are up, but compromises are down," Sartin says. "Today, it's more disorganized crime," since most of the sophisticated hackers [including Albert Gonzalez, the mastermind behind the TJX and Heartland breaches] behind the world's biggest breaches have already been arrested.
"More of the smaller organizations are being hit, but they don't offer much meat to the perpetrator," Sartin says. That news is good and bad: good, since it proves fraud prevention and investigative efforts are improving; bad, because it shows that simple data security gaps still plague smaller business.
Among some of the report's key findings:
- Hacking, at 50 percent, and malware, at 49 percent, are the most prominent types of attack, with many incidents involving weak or stolen credentials and passwords;
- Physical attacks, such as skimming at ATMs, pay-at-the-pump gas terminals and POS systems, for the first time rank among the three most common ways to steal information, comprising 29 percent of all investigated cases;
- Outsiders are responsible for 92 percent of breaches, while the percentage of insider attacks dropped from 49 percent in 2009 to 16 percent in 2010.
Attacks Remain EasyAccording to the report, 83 percent of the databases hit in 2010 were targets of opportunity; 92 percent of the attacks were classified as "not highly difficult."
"It is important to remember that data breaches can happen to any business, regardless of size or industry, or consumer," says Peter Tippett, Verizon's vice president of security and industry solutions. "A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure."
Some relevant statistics:
- 86 percent of the year's breaches were discovered by third parties;
- 97 percent were avoidable through simple or intermediate controls;
- 89 percent of the corporate or organizational victims were not compliant with the Payment Card Industry Data Security Standard at the time of the hack.
"Unfortunately, breaching organizations still doesn't typically require highly sophisticated attacks," Verizon states in a summary of the report. "Most victims are a target of opportunity rather than choice, the majority of data is stolen from servers, victims usually don't know about their breach until a third party notifies them, and almost all breaches are avoidable [at least in hindsight] without difficult or expensive corrective action."
Top threats remain unchanged. Hacking and malware are to blame for increases in external threats, the report finds. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. And the percentage of breaches linked to physical attacks, such as card compromises at ATMs and POS devices, doubled from 2009 to 2010.
"We still see a lot of the same data types being targeted," Sartin says. "Most of the attacks we saw targeted consumer records," and the majority of attacks stemmed from the former Soviet Union, though Sartin points to Asia-Pacific as the No. 1 cybercrime market.
Fraud Detection: Archaic Techniques?One of the most disheartening revelations from the research: "Much of the stolen data comes from sources of data these companies did not even know they had," Sartin says. "Knowing what data is sensitive and what data you have remains a problem."
Another problem is the means smaller entities continue to use to detect fraud, relying too heavily on correlating disparate information that doesn't produce insightful results. "It's not about finding needles in haystacks; it's about finding haystacks," Sartin says. "We have to look for indications of crimes in motion, and we can re-tune our event-monitoring systems to address that."
On the plus side, investigations and cross-industry information sharing have improved. "As a result, we recognize crimes more quickly and we are able to tie basic methods and patterns," connecting them to known crime groups, Sartin says.
More often than not, investigations lead to arrests before compromises occur. "The good guys are getting better, and where we are getting more effective is in the sharing of information," he says.
With the addition of 2010 data, the Verizon data breach series spans seven years and includes more than 1,700 breaches with more than 900 million compromised records.
RecommendationsAmong the tips Sartin and his co-authors offer global organizations:
- Focus on Controls. Don't make the mistake of focusing only on high security in certain areas. Businesses are much better protected if they implement essential controls across their organizations;
- Store Essential Data. Only store what you need and ensure data that must be stored is monitored and secured;
- Limit Remote Access. Restrict access to specific IP addresses and networks, and ensure access to sensitive information, even within the network, is limited;
- Audit and Monitor Users. Monitor users through pre-employment screening, limit user privileges and establish separate duties. Managers should provide direction and monitor employees, ensuring security policies and procedures are followed;
- Watch Event Logs. Don't get bogged down by the minutia. Monitor and mine event logs for obvious anomalies. Reduce compromise-to-discovery time to days, rather than weeks;
- Bolster Physical Security. Monitor every device that accepts payment cards, including ATMs and pay-at-the-pump gas terminals, for tampering and manipulation.
For more insight on the 2011 Verizon Data Breach Investigations Report, please see: Data Breaches: Inside the 2011 Verizon Report.