About six months ago I wrote about the U.S. Secret Service / Verizon RISK Team “2010 Data Breach Report.” The “2011 Data Breach Report” is now out, and once again makes interesting reading. For this report, the Dutch High Tech Crime Unit joined Verizon and the U.S. Secret Service. This year they investigated about 800 data compromise incidents.
Looking at some of the same statistics compared with the 2010 report:
- 92% of the breaches resulted from external agents (up from 70%), and they were responsible for more than 99% of the lost records (up from 98%)
- 17% implicated insiders (down from 48%)
- 17% resulted from privilege misuse (not surprisingly, also down from 48%)
- Only 1% implicated business partners (down from about 10%)
Based on this sample, it seems organizations have been paying attention to internal threats and privilege misuse – good news. However, there are two disturbing underlying observations: 93% of the internal attacks were deliberate (up from 90%), and the majority of those attacks were by regular employees and end-users, not highly placed and trusted users.
The attacks came from the usual places:
- Hacking was involved in 50% of the breaches (up from 40%) and 89% of the stolen records
- Malware was involved in 49% of the breaches (up from 38%) and 79% of the stolen records
- Social tactics were involved in 11% of the breaches (down from 28%) and 1% of the stolen records
- Physical attacks were involved in 29% of the breaches (up from 15%) and 10% of the stolen records
As in last year’s report, these percentages add up to more than 100% because a single attack may use multiple mechanisms, such as malware introduced by hacking.
The head-in-the-sand approach continues to dominate:
- 96% of breaches were avoidable through simple or intermediate controls (unchanged)
- 86% were discovered by a third party (up from 61%)
- 89% of victims required to be PCI-DSS compliant were not compliant (up from 79%)
PCI-DSS (Payment Card Industry – Data Security Standard) covers organizations that handle or process payment cards, including credit, debit and ATM cards. I think it is encouraging that only 11% (down from 21%) of the victims were PCI-DSS compliant and still successfully attacked. However, it points out that being compliant is not the same as being secure.
While attackers are getting ever more sophisticated, organizations still are not making it hard for the professionals to steal their data: 92% of the attacks were not highly difficult (up from 85%).
Possibly because of increased attention (and arrests) for attacks on financial industries, the primary targets seem to have shifted from financial services (losing 35% of the stolen records in 2010 versus 90% or more in preceding years) to the retail and hospitality group (losing 56% of the stolen records).
I have talked about three important attributes of data:
- Confidentiality means that only those people who are supposed to see their data can see it. 100% of the breaches compromised the confidentiality of the data.
- Integrity means that only authorized processes are allowed to modify data and only in very specific ways. 90% of the breaches compromised the integrity of the data.
- Availability means that the data is accessible when needed. Only 1% of the breaches compromised the availability of the data. This is too bad, because if the data was no longer available you would likely hear about the problem sooner.
I recently attended an Imperva Webinar with Rob Rachwald (Director of Security Strategy at Imperva) and Larry Ponemon (CEO of the Ponemon Institute). They made three probably obvious but important statements:
- The bad guys know the value of data better than the good guys.
- The good guys have more vulnerabilities than time and effort can manage.
- The good guys have to protect all vulnerabilities. The bad guy only needs to find one.
Attackers are early adopters, and they are constantly evolving their tools.
My recommendations are essentially unchanged from last year:
If your organization is one of those who has done nothing about this problem, there are some simple things you can do to make yourself safer:
- Keep your OS and application software up to date.
- Keep your virus / malware protection software up to date and make sure it is running on every system. Configure it to be automatically and frequently updated.
- Concentrate on protecting your database servers and controlling who has any access to them.
- Train your employees on the value of your data and that of your customers, and the fairly simple social attacks they will see. Emphasize that they must control their passwords. Remind them of your security policy. Create one if you don’t have one.
Less simple and inexpensive, but important, steps:
- Restrict and monitor privileged users.
Trust but verify. Make sure you know who your employees really are. Don’t give users more privileges than they need. Separate duties to limit what any one person can do alone. Make sure all privileged use is logged. However, you must monitor and review these logs.
- Watch for even minor policy violations.
Every policy violation may be an indicator that there is something sinister behind it, or could be preparation work for a major attack, soon.
- Implement measures to prevent the stealing of credentials and the use of stolen credentials.
Keep your malware protection software up to date to keep credential-stealing software off your systems. Use two-factor authentication for everybody.
- Monitor and filter traffic leaving your network.
You are probably filtering incoming network traffic, even if it just via a firewall and your email spam filter. Are you also filtering your outgoing network traffic, looking for suspicious data or unknown destinations?
- Actually monitor and analyze your logs.
Most organizations generate fairly complete logs, but don’t look at them. There are some fairly simple things that you can do to monitor logs in near real time to detect anomalies and report them. This could be a simple script that looks for things like an unusual number of log entries at an unusual time of day and sends an alert.
The Cloud was not a factor in these breaches. While some of the breaches involved hosted or managed systems and virtual environments, the attacks were not enabled by those technologies or delivery mechanisms. It continues to be all about controlling your assets and data, no matter where they are.
Continue to be paranoid. Large parts of the world are out to get you. Make security one of your business imperatives, not just an IT imperative.
The last word:
I recently finished Donald Rumsfeld’s new book Known and Unknown: A Memoir. You can get it at Amazon or, better yet, at your local bookstore. I recommend it to anyone who has been aware of the world over the past 40 years or so. He was both the youngest (under President Gerald Ford) and oldest (under President George W. Bush) Secretary of Defense, served four terms in the U.S. House of Representatives, was White House Chief of Staff for part of the Ford Administration, served as the U.S. Permanent Representative to NATO, and between all of this was the president of G.D. Seale and Company for 8 years, the CEO of General Instrument for 4 years, and the Chairman of Gilead Sciences for 4 years. Whether you agree with his politics or not, he provides an interesting view into a lot of important events and personalities.
Keep your sense of humor.