Each year Verizon issues a report analyzing the makeup of recent data breaches. It is a must read. This year they teamed with the Secret Service, gaining a much larger data set and a new perspective. As I read through the report I found myself surprised by some of the trends. This week’s blog will be a list of the details worth repeating. Get there report here.
1. External agents are the biggest threat, by a very large margin. 70% of data breaches involved external agents. Haven’t we all heard that the biggest threats to corporate security are insiders? I know I have run across that as “generally accepted knowledge.” On top of that, not only do outsiders perform more breaches, but their breaches have far more damaging results. Attacks performed exclusively by outsiders accounted for 45% of all attacks (versus 27% exclusively insider) yet resulted in a whopping 52 times more records disclosed. In short, the outsiders are more interested in getting your data, and when they do get it, they won’t settle for just a little bit.
2. “96% of breaches were avoidable through simple or intermediate controls.” A little bit of security can go a long way. It’s the Pareto principle (aka the 80-20 rule) all juiced up. Performing those basic to medium difficulty fixes reduces risk by 96%. In other words, those fixes can turn a $1,000,000 risk into a $40,000 risk. Put that ratio into the real world risk numbers for your organization and see how dramatically that changes your risk assessments and the ROI on security spending.
3. Verizon recommends, “Eliminate unnecessary data; keep tabs on what’s left.” Just from my own experience, I know how controversial this recommendation can be. It’s the old functionality versus security argument. Data miners and marketers will see a warehouse of data as endless opportunity to learn more about customers’ profiles, habits and interests. Privacy and security officers see that same warehouse as a wasp nest of potential breaches and liability. The sweet spot is when we can find a way to keep all that data in a meaningful format without the risk of inappropriate disclosure.
4. Insiders who intentionally cause breaches often have a history of smaller policy violations. So maybe those minor policy infractions are a bigger deal than we thought. This report finds that those who break the little rules are much more likely to break the big rules. That might not surprise you to hear, but it does give some interesting data to ponder as we consider our responses to minor policy violations.
5. Malware: It’s getting worse, not better. The Malware creators are getting better at creating customized tools designed to break into a specific environment. Custom created Malware accounts for a staggering 97% of the total records lost. Figure out how to keep this Malware off your systems and you go from losing 100 files to 3. Or maybe more to the point… to go from losing $1,000,000 to $30,000.
6. Target of Choice versus Target of Opportunity. Criminals are going to pick you to hack because either (1) you’re easy to hack or (2) you’ve got information they want. Each organization should figure out which category they fall into. Companies holding military secrets, bank account or medical information may well be targets of choice. A company holding their own payroll and HR information but no other sensitive information might not be. By determining whether your organization would be specifically targeted you can better determine the amount of resources and types of defenses you should utilize.
7. Unknown unknowns: What we don’t know is hurting us. 90% of the records breached involved privileges, system, connectivity or data that the IT department didn’t know existed. When we don’t keep careful track of our assets we are very poor at defending them. A quality asset tracking system is critical to effective data security.
8. Breaches don’t happen in seconds. 60% of breaches take days or longer to compromise data. 40% of breaches take WEEKS or longer. That means that even after someone manages to enter your environment you still have the time and opportunity to catch them. We need to work on our detection techniques to know what it looks like when a hacker is in our environment.
9. Only 13% of breaches are contained in less than a day after discovery. What? How is this possible? I can accept that some organizations cannot turn off a critical business system even if a breach is underway due to business or SLA impact, but it is hard to comprehend that almost 9 out of 10 businesses are willing to allow the breach to continue for days, weeks and months while they work toward the solution. Why aren’t most companies unplugging the affected systems? As Verizon emphasizes, we need to plan how we will deal with a breached system ahead of time, not when the hacker is currently looting our databases.
10. Detection is about the audit logs, not IDS. Nobody is saying that IDS is worthless. What this report seems to be saying is that IDS is worth less than good audit log monitoring. Most activities a hacker performs will seem like allowable behavior and thus be ignored by the IDS. Audit logs will usually show the truth. An attack will result in a greatly increased amount of logging which should set off flags for a log monitoring system… or the attack will result in decreased or no logs (if the attacker turns off logging) which should ALSO set off flags for the logging system. A well tuned log management system is our best shot at catching a hacker that’s made it onto our systems.
This report offers a great opportunity to step back and reassess if we, as an industry, are focusing our protections in the right areas. For the most part, the 2010 Verizon report confirms what Information Security practitioners already knew. But there are some surprises, and being surprised every now and then is a good thing. It reminds us that we still have a lot to learn, and we still have a long way to go.
Connect with Robb on Google+