Data Breach Report

2008 will likely be remembered as a tumultuous year for corporations and consumers alike. Fear, uncertainty, and doubt seized global financial markets; corporate giants toppled with alarming regularity; and many who previously lived in abundance found providing for just the essentials to be difficult.

Among the headlines of economic woes came reports of some of the largest data breaches in history. These events served as a reminder that, in addition to our markets, the safety and security of our information could not be assumed either.

Verizon’s 2009 Data Breach Investigations Report covers this chaotic period in history from the viewpoint of their forensic investigators. The 90 confirmed breaches within their 2008 caseload included an astounding 285 million compromised records. These records have a compelling story to tell, and the pages of their report are dedicated to relaying it.

Who is behind data breaches?

74% resulted from external sources.

Most data breaches continue to originate from external sources. Though still a third of the sample, breaches linked to business partners fell slightly for the first time in years. The median size of breaches caused by insiders is still the highest, but the predominance of total records lost was attributed to outsiders. 91 percent of all compromised records were linked to organized criminal groups.

20% were caused by insiders.
32% implicated business partners.
39% involved multiple parties.

How do breaches occur?

In the more successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data. 98 percent of all records breached included at least one of these attributes.

Unauthorized access via default credentials (usually third-party remote access) and SQL injection (against web applications) were the top types of hacking. The percentage of customized malware used in these attacks more than doubled in 2008. Privilege misuse was fairly common, but not many breaches from physical attacks were observed last year.

67% were aided by significant errors).
64% resulted from hacking.
38% utilized malware.
22% involved privilege misuse.
9% occurred via physical attacks.

What commonalities exist?

69% were discovered by a third party.

Only 17 percent of attacks were designated to be highly difficult, yet they accounted for 95 percent of the total records breached. So, while hackers prefer soft targets, they do seem to know where best to apply the pressure when motivated. Most of these incidents do not require difficult or expensive preventive controls. Mistakes and oversight hinder security efforts more than a lack of resources.

81% of victims were not Payment Card Industry (PCI) compliant.
83% of attacks were not highly difficult.
87% were considered avoidable through simple or intermediate controls.
99.9% of records were compromised from servers and applications.

Where should mitigation efforts be focused?

The best defense against data breaches is, in theory, quite simple; don’t retain data. Since that is not realistic for many organizations, the next best thing is to retain only what is required for business or legal reasons, to know where it lives and flows, and to protect it diligently.

The majority of breaches still occur because basic controls were not in place or because those that were present were not consistently implemented across the organization. If obvious weaknesses are left exposed, chances are the attacker will exploit them. It is much less likely that they will expend the time and effort if none are readily apparent.

A very large proportion of attackers gain access to enterprise networks via default, shared, or stolen credentials. Furthermore, organizations seem to have little visibility into this problem. It’s certainly best to prevent such incidents in the first place, but a second line of defense is to review accounts for signs of abuse or anomalies. SQL injection was also an oft-used means of breaching corporate data last year.

Secure development, code review, application testing, etc. are all considered beneficial in light of this finding. Whatever the sophistication and aggressiveness of attacks, the ability to detect a breach when it occurs is a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same-during the last five years, few victims discover their own breaches. Fewer still discover them in a timely manner.

1. Ensure essential controls are met.
2. Find, track, and assess data.
3. Collect and monitor event logs.
4. Audit user accounts and credentials.
5. Test and review web applications.

To see all the report details, go to Verizon’s 2009 Data Breach Investigations Report.