Since 2004, the Verizon RISK Team conducts an annual study of incidents of cyber crime. I previously wrote about the 2010 and 2011 reports. This year, the US Secret Service, the Australian Federal Police Cybercrime Operations Investigations Teams, the Dutch National High Tech Crime Unit, the Irish Reporting and Information Security Service, and the UK Police Central e-Crime Unit joined Verizon to cover 855 incidents around the world.
2011 was a good year, if you were trying to steal data from people, companies or governments. The incidents Verizon studied involved the compromising of 174 million records, way more than the four million studied in 2011 (which was, admittedly, the lowest of any year in the eight-year history of the Verizon study). Cybercriminals improved their attacks, mostly against weaker targets. However, there were increased attacks against governments and companies targeting trade secrets, intellectual property and classified information.
Who is attacking us?
- Virtually all of the attacks were exclusively from external sources (95%) up from 86% in 2010 and 72% in 2009. More importantly, these attacks represented 99.9% of all compromised records.
- Thus, very few of the attacks involved exclusively internal sources (2%) down substantially from 12% in 2010 and 48% in 2009.
- Less than 1% involved business partners, no change from 2010 and down from 10% in 2009.
- 2% of attacks involved multiple agents.
How are they attacking us?
- Hacking was involved in 81% of the breaches (up from 50% in 2010 and 40% in 2009) and 99% of the compromised records
- Malware was involved in 69% of the breaches (up from 49% in 2010 and 38% in 2009) and 95% of the compromised records
- Physical attacks were involved in 10% of the breaches (down from 29% in 2010 and 15% in 2009) and <1% of the compromised records
- Social tactics were involved in 7% of the breaches (down from 11% in 2010 and 28% in 2009) and 37% of the compromised records
- Privilege misuse were involved in 5% of the breaches (down from 17% in 2010) and <1% of the compromised records.
As in last year’s report, these percentages add up to more than 100% because a single attack may use multiple mechanisms, such as malware introduced by hacking.
94% of all compromised data involved web, application or database servers (up from 76% in 2010).
The head-in-the-sand approach of many organizations continues:
- 97% of the breaches were avoidable through simple or intermediate controls.
- 92% of incidents were discovered by a third party.
- 85% of breaches took weeks or months to discover.
- 96% of victims subject to PCI DSS had not achieved compliance.
PCI-DSS (Payment Card Industry – Data Security Standard) covers organizations that handle or process payment cards, including credit, debit and ATM cards. I think it is encouraging that only 4% (down from 21% in 2009) of the victims were PCI-DSS compliant and still successfully attacked. However, it points out that being compliant is not the same as being secure.
While attackers are getting ever more sophisticated, organizations still are not making it hard for the professionals to steal their data: 96% of the attacks were not highly difficult (up from 92% in 2010 and 85% in 2009).
What is new is the prominence of activist groups, like Anonymous and WikiLeaks. While only 2% of the attacks were attributed to activist groups, 58% of the compromised records were tied to them in 2011. These groups are not motivated by simple greed, but by ideological dissent. Since every company, government or other organization has probably irritated somebody, the “I’m not very big” defense is no longer valid. Simply being associated with a product or group or belief can be sufficient to become a target in some group’s sights.
These activist groups also can confuse the statistics. For example, a very few but very large attacks against a handful of companies in manufacturing and information technology make those two industries have 97% of the compromised records. Those few attacks were probably more after intellectual property than immediate financial gain. If you remove those few attacks, the industry groups with the most compromised records were finance and insurance (40%) and retail (28%). In this analysis, information technology comes it with only 7% of the compromised records, and manufacturing is a piece of the “other” category.
Over 70% of the successful attacks were against relatively small organizations with 100 or fewer employees.
Two different trends seem to be going on. One is the sharp rise of attacks by activist groups, sometimes called “hacktivism.” These groups do all-out sophisticated attacks targeted at very specific individual organizations. These groups are not in it for the money, but for the grief they can cause.
Criminals, on the other hand, have changed their focus to opportunistic attacks against weaker targets. This may be because police and similar organizations around the world have been successfully finding these criminal groups, and legislatures have been giving the police and judicial branches the laws necessary to lockup these people. “Instead of major (and risky) heists, they pilfer smaller hauls of data from a multitude of smaller organizations that present a lower risk to the attacker. Think of it as a way to streamline business processes. Find an easy way to prey on the unsuspecting, the weak, and the lame, and then simply repeat on a large scale. This high-volume, low-yield business model has become the standard M.O. for organized criminal groups.”
The biggest action type threats:
- Use of stolen, default or easily guessable login credentials (implicated in 82% of compromised records)
- Exploitation of backdoor or command and control channel (implicated in 49% of compromised records)
Almost all of the compromised records contained personal information, including government ID numbers (95%). Payment card numbers and related information, while involved in almost half of the breaches, only represented about 3% of the compromised records. Personal data is obviously valuable to the criminal attacker as a means to financial gain. Personal data is also sought by the activist groups because it can embarrass the attacked organization, but also makes the attack personal to its customers or members. It makes a real statement and can do real damage to the attacked organization.
For the first time, the report tries to correlate data breaches with the Cloud. As expected, they found it hard to determine whether the Cloud itself was directly implicated in a breach, or just represented the hosting environment where the breach happened to occur. For the breaches studied specifically by Verizon, about a quarter of the breaches occurred where the assets were externally hosted, and 46% occurred where the assets were managed by an external organization. However, only16% of the breaches involved assets that were externally owned. As Verizon states, “because working definitions of “the cloud” are legion, it can be difficult to answer questions about how this paradigm factors into data breaches. It’s really more about giving up control of your assets and data (and not controlling the associated risk) than any technology specific to the cloud.”
I recently wrote about BYOD – “bring your own devices,” including tablets and smart phones. In this report, they were not implicated in any of the breaches studied in this report. However, I suspect that is more due to the relative rarity of those devices last year. As their presence explodes in 2012 and beyond, expect them to become part of the risk picture.
The last word:
Who is safe? No one. The criminal attacks are shifting to the small and individually more vulnerable organizations. Since these criminal attacks are looking for the weak to cull from the herd, don’t look weak. Making it even a little hard will go a long way. Implement a firewall on all remote access. Establish and enforce password rules for everybody, and train your people on the importance of securing your data and their role in keeping it secure. Make sure your software is up-to-date with all security patches. Use and keep updated effective malware software.
The Cloud can help. Most Cloud Service Providers are really good at helping you manage these issues. Work with them, but also verify that they are doing what they say they are.
Keep your sense of humor.