Monday, October 17, 2011

Verizon 2011 Data Breach Investigation Report – breaches down, or are they?

The 2011 Data Breach Investigation Report (DBIR) from Verizon (http://bit.ly/pt5xV9 ) now incorporates data from the United States Secret Service and the Dutch National High Tech Crime Unit as well as Verizon’s own data.  It is a comprehensive report, extensively covering data breach activity in 2010, and it draws some interesting, and sometimes almost contradictory, conclusions.

2008 saw a record number of 361 million records compromised, 2009 saw a reduction to 144 million, and in 2010 that number dropped to 4 million.  Hang on, 144 million -> 4 million?  As the report says, that’s almost a rounding error!  Not to say that 4 million records compromised is good, that’s still 4 million more than we’d ideally have to deal with, but it’s a pretty radical reduction.  So, one question might be “Why?”.  As it turns out, the main reason is that, for some reason, 2010 had virtually no “mega” attacks, which typically bump the numbers up by a million or more.  But let’s continue to look…

In actual fact, now that we are more than 9 months through this year, we know enough to determine whether 2010 was part of a long term trend of data breach reduction, or an anomaly.  And with Sony, Espilon, RSA and Citi breaches already behind us in 2011, the unfortunate news is that the numbers this year are likely to be back up.  In fact, numerous industry observers are now saying that 2011 is likely to be the worst year on record, in terms of number of records compromised.

So perhaps a better idea is to look at the trends indicated by the Verizon report, along with the knowledge of the 2011 breaches, to identify what we could and should be doing better.

One of the interesting facts from the Verizon report is that, even though total number of records compromised was (WAY) down, the actual number of breaches was up (761 in 2010, versus a total from 2004-2009 of 900).  This is partly due to the inclusion of the Dutch data, but it also shows that cybercriminals are now willing to perform their exploits for smaller returns, which itself is a little worrying.

Another interesting statistic - 83% of all attacks were opportunistic, meaning the victim was identified because they exhibited a weakness or vulnerability that the attacker could exploit.  Often these were due to POS and other systems being installed with default user information, which became known within the criminal community.  Put another way, closing down these relatively simple (and obvious) loopholes could drastically reduce the occurrence of data breaches.

The other 17% of attacks were targeted, meaning that the victim was first chosen as the target, then a method of exploitation was determined.  Unfortunately, but not surprisingly, the financial industry was most represented in the ranks of the targeted attack victims.

Following on from the targeted attack point, 96% of all records compromised were card numbers and/or card data, a truly worrying figure.

So, what can we learn from this?

We know from the number of attacks in the first half of this year that cybercrime is not decreasing.  Both the number of attacks, and the cost of those attacks, continues to rise.  Cybercriminals utilise opportunistic attacks for relatively small gains in many cases, and targeted attacks on financial institutions.  Card numbers continue to be stolen, in large volumes.

It remains critical to protect sensitive data, both at rest, and in transit.
Use SSL and file encryption solutions when possible.
Ensure that the platforms/applications receiving the sensitive data also protect it.
Get to know the security administrators on those platforms and ask them to do the same with the applications/platforms they share data with.


Remove as many areas of opportunistic attack as possible:
Don’t use default userids and passwords.
Put granular access control and auditing in place.
Feed your audit data (from all platforms and applications) into a SIEM device to get an enterprise-wide view of your security events.

XYPRO’s XYGATE security suite can address all these areas, and more.  For more information on how XYGATE can help secure your HP NonStop platform, applications and data, please see our website www.xypro.com, or email me at andrew_p@xypro.com

Andrew Price
XYPRO Technology Corporation

No comments:

Post a Comment