Verizon’s 2011 Data Breach Investigations Report Review

What does Verizon’s 2011 DBIR mean to your enterprise?

A few weeks ago we looked at Trustwave’s 2011 Global Security Report. This week I want to point out a few of the critical points in Verizon’s 2011 Data Breach report.

I want to start by saying that these lessons are not easy, but they are simple. It’s not easy to ensure that every system in your environment is accounted for, and you know what data is being held where. But it is simple; to ensure that your systems are being properly secured you must know what and where they are. It’s not easy to go through every system in our environment and ensure that remote administration is turned off where it can be and closely monitored where it cannot, but it is simple; if you don’t know where the doors into your data are, you can’t defend them.

Our job in information security is not easy, but it is simple. It’s our job as information security practitioners to take the simple requirements (understand your environment, enforce least privilege) and turn them into practical, tactical game plans that our teams can implement.

With that out of the way, let’s take a look at a few of the interesting findings from Verizon’s report.

  1. Verizon found a dramatic drop in the number of records compromised this year. 2008: 361m, 2009: 144m, 2010: 4m. At this pace we should expect to see the criminals not steal any records in 2011, but actually give back a 100 million or so. <Pause for hearty laugh> What’s really happening here is probably that the criminals are becoming much more discerning in their targets. As the black market value of PII goes down (due to oversupply) there’s less incentive to find that data. So criminals are now focusing their efforts on the less plentiful, but more valuable data. Trade secrets, military intelligence, confidential information… those are where the money is. I believe that criminals will focus less on large smash and grab campaigns looking for large caches of user info, and more on silent attacks where they seek to gather corporate, government and military information for larger political or financial impact.

As the value for PII goes down criminals focus more on high value corporate, government and military secrets

  1. 49% of breaches incorporated the use of malware. Trustwave’s report showed 76% of attacks involved malware. The message between these two reports is pretty clear, a very significant number of attacks are perpetrated using malicious software as a jumping off point. This may be a Trojan designed to spread as far as possible on the internet (think Zeus), or it could be a carefully crafted application designed to infiltrate one company (think Google’s China hack). In either case it’s more important now than ever follow safe browsing guidelines and avoid connecting potentially compromised machines into protected networks.
  2. Last year I commented on external threats being higher than anticipated (where it was 70% of attacks in 2010) and this year it’s dramatically higher. A full 92% of attacks stemmed from external agents. It may be time for us in information security to consider anew where to allocate our resources. Is it heresy to suggest that spending more time and money on external penetration testing and less on internal security awareness training? I’m not sure what the right balance is, but apparently it’s those outsiders who are once again our biggest threat.
  3. 83% of victims were targets of opportunity. It goes back to the old idea that your house doesn’t need to be totally secure, just more secure than your neighbors’ houses. Or as the joke goes something like this…


Two men are walking in a forest. They see a bear with children, so they start running, and the bear follows them. One man stops and starts putting on running shoes. The other guy asks him: “Do you really think that running shoes will make you run faster than the bear?” and the first guy answers “No, but it should make me faster than you!”


  1. 89% of victims that were supposed to be PCI-DSS compliant were not. Last year this number was 79%. Combine this with the fact that most of the victims were targets of opportunity, and the message is very clear: Spend the time and money to meet a minimum baseline of security and your odds of being breached go down drastically.

The reality of the business world is the truth of resource scarcity. We simply can’t afford to continue doing all of the security measures we’ve done in the past, and keep adding on more and more new ones. The administrative, licensing and maintenance load becomes unbearable. Something has to give. By studying these kinds of reports over years, and finding where the real threats exist we can consider which new technologies make sense to add, and which old safeguards might not be worth their expense now.

Thanks again to the team at Verizon for sharing this excellent data with the community at large. We are in your debt.


Connect with


Internal Audit and Information Security

How’s Your Relationship with Internal Audit?

Want a quick and easy way to get an idea how well your organization’s risk management program works? Take a look at how the technical staff reacts to and interacts with the internal audit team.

The role of internal audit is to aggregate internal policies, regulatory requirements, and industry best practices and then observe the organization to see how the operational reality stacks up with those goals. This is the chance for us to see if we’re walking the walk or if all our risk management policies and systems are just for show.

When your team hears that the internal auditors are going to be coming, what is the response? No, not everyone will be thrilled to spend a day or week sitting with auditors discussing business practices, and showing proof of what they do. Schedules are tight, and fitting in audit work alongside a full schedule can be a challenge. But aside from scheduling, this should not be a gruesome task. If your employees are overly concerned about the audit process, it may be that they are not properly educated about the policies and procedures required to do their job.

In a well-functioning team the opportunity for a different set of eyes to evaluate and offer feedback is invaluable. They can show us where our documentation is lacking (because the people who do it every day can naturally fill in those gaps), where our separation of duties is inadequate, or where cross-training is needed. Joe might be the best firewall administrator in the world, but letting him do all of the firewall work means that when he finally goes on vacation or gets a new job, your organization will be scrambling to fill in his position.

The biggest key to creating a positive relationship with audit, and successfully undergoing audits, is remembering that internal audit and security risk management are on the same team. We are both looking to handle risks. Our job in security is to identify and implement effective mitigating controls, and audit’s job is to flag those risks which have not yet been properly mitigated, so that management is well aware of them, and can make appropriate business decisions. If they identify a finding in your area, it’s not the end of the world. It’s an opportunity for you to improve your environment and make things better.

Security and Audit should make each other better

Information Security and Internal Audit can be extremely effective partners. Chances are that the folks in the security team are more technically savvy and more intricately familiar with the details of the corporate information systems. As such, during an audit, security can provide assistance to internal audit in guiding through the technical-speak and confusing network diagrams to determine all kinds of great information. Including what data is sitting where, what it’s doing, and what protections are in place. By being a technical consultant, the security team can provide valuable assistance to audit and make the audit findings more detailed and impactful.

On the flip side, audit can be an important ally for security. How often does your security team find a risk, bring it up to technical leaders, and have that risk ignored because of time or money scarcity? It’s an ongoing balance to figure out which risks need to be addressed. Security’s concerns are usually heard, but often cannot be immediately implemented. But when an item is made an audit finding it gains significant weight. Those audit findings will make their way up the chain, to the desk of the president and the board itself. Senior leadership is directly responsible for addressing and implementing audit findings. Getting audit to include the risks that security identifies can be a great way that audit can assist security.

For the most part, the difference between security and internal audit is slight, but significant. We are both looking to address risk, but security is considered a part of the business, and audit must be an impartial third party. By working together both teams can become better at what they do.

If you haven’t already, go take an auditor out to lunch. Ask about what they do, and how you can help. It’s a relationship that you both will enjoy.

Connect with