What does Verizon’s 2011 DBIR mean to your enterprise?
A few weeks ago we looked at Trustwave’s 2011 Global Security Report. This week I want to point out a few of the critical points in Verizon’s 2011 Data Breach report.
I want to start by saying that these lessons are not easy, but they are simple. It’s not easy to ensure that every system in your environment is accounted for, and you know what data is being held where. But it is simple; to ensure that your systems are being properly secured you must know what and where they are. It’s not easy to go through every system in our environment and ensure that remote administration is turned off where it can be and closely monitored where it cannot, but it is simple; if you don’t know where the doors into your data are, you can’t defend them.
Our job in information security is not easy, but it is simple. It’s our job as information security practitioners to take the simple requirements (understand your environment, enforce least privilege) and turn them into practical, tactical game plans that our teams can implement.
With that out of the way, let’s take a look at a few of the interesting findings from Verizon’s report.
- Verizon found a dramatic drop in the number of records compromised this year. 2008: 361m, 2009: 144m, 2010: 4m. At this pace we should expect to see the criminals not steal any records in 2011, but actually give back a 100 million or so. <Pause for hearty laugh> What’s really happening here is probably that the criminals are becoming much more discerning in their targets. As the black market value of PII goes down (due to oversupply) there’s less incentive to find that data. So criminals are now focusing their efforts on the less plentiful, but more valuable data. Trade secrets, military intelligence, confidential information… those are where the money is. I believe that criminals will focus less on large smash and grab campaigns looking for large caches of user info, and more on silent attacks where they seek to gather corporate, government and military information for larger political or financial impact.
As the value for PII goes down criminals focus more on high value corporate, government and military secrets
- 49% of breaches incorporated the use of malware. Trustwave’s report showed 76% of attacks involved malware. The message between these two reports is pretty clear, a very significant number of attacks are perpetrated using malicious software as a jumping off point. This may be a Trojan designed to spread as far as possible on the internet (think Zeus), or it could be a carefully crafted application designed to infiltrate one company (think Google’s China hack). In either case it’s more important now than ever follow safe browsing guidelines and avoid connecting potentially compromised machines into protected networks.
- Last year I commented on external threats being higher than anticipated (where it was 70% of attacks in 2010) and this year it’s dramatically higher. A full 92% of attacks stemmed from external agents. It may be time for us in information security to consider anew where to allocate our resources. Is it heresy to suggest that spending more time and money on external penetration testing and less on internal security awareness training? I’m not sure what the right balance is, but apparently it’s those outsiders who are once again our biggest threat.
- 83% of victims were targets of opportunity. It goes back to the old idea that your house doesn’t need to be totally secure, just more secure than your neighbors’ houses. Or as the joke goes something like this…
Two men are walking in a forest. They see a bear with children, so they start running, and the bear follows them. One man stops and starts putting on running shoes. The other guy asks him: “Do you really think that running shoes will make you run faster than the bear?” and the first guy answers “No, but it should make me faster than you!”
- 89% of victims that were supposed to be PCI-DSS compliant were not. Last year this number was 79%. Combine this with the fact that most of the victims were targets of opportunity, and the message is very clear: Spend the time and money to meet a minimum baseline of security and your odds of being breached go down drastically.
The reality of the business world is the truth of resource scarcity. We simply can’t afford to continue doing all of the security measures we’ve done in the past, and keep adding on more and more new ones. The administrative, licensing and maintenance load becomes unbearable. Something has to give. By studying these kinds of reports over years, and finding where the real threats exist we can consider which new technologies make sense to add, and which old safeguards might not be worth their expense now.
Thanks again to the team at Verizon for sharing this excellent data with the community at large. We are in your debt.
Connect with Robb on Google+