Since 2004, the Verizon RISK Team conducts an annual study of incidents of cyber crime. I previously wrote about the 2010, 2011 and 2012 reports. This year, the U.S. Secret Service and 17 other world wide government and private sector security organizations joined Verizon to cover over 47,000 security incidents and 621 confirmed breaches around the world in 2012.
Cyber criminals had another good year in 2012. The report identifies over 44 million compromised data records. The good news is that this is significantly down from the 174 million reported the previous year. The bad news is that the total record count is not yet known for 85% of the reported data breaches. Like any security issue, it is very difficult for an organization to report that it had a breach. If that report became public, it could have significant downsides for the reputation of the organization. Perhaps the most significant change is the increase in targeted attacks: attacks against a commercial or government organization solely for the purpose of gaining secrets or embarrassing the organization.
Who is attacking us?
- Virtually all of the attacks were exclusively from external sources (92%), about the same as it was the previous year (95%).
- Fourteen percent of the attacks involved internal sources, moving back up to the 2011 report level.
- Less than 1% involved business partners, no change from the previouyear.
- Seven percent of attacks involved multiple agents, up from 2% the previouyear.
- A significant change is that 19% are attributed to government action, primarily China’s effort to steal intellectual property.
How are they attacking us?
- Hacking was involved in 52% of the breaches, down from 81% last year and back to prior year levels.
- Malware was involved in 40% of the breaches, down from 69% last year and back to prior year levels.
- Physical attacks were involved in 35% of the breaches, up from 10% the previous year.
- Social tactics were involved in 29% of the breaches, up from 7% last yea).
- Privilege misuse were involved in 13% of the breaches, up from 5% last year.
As in last year’s report, these percentages add up to more than 100% because a single attack may use multiple mechanisms, such as malware introduced by hacking.
The head-in-the-sand approach of many organizations continues:
- 78% of the breaches were avoidable through simple or intermediate controls.
- 76% of network intrusions exploited weak or stolen credentials.
- 69% of the breaches were discovered by a third party. While better than last year’s 92%, it is statistically in the ballpark of prior years. Clearly internal detection capability is consistently non-existent in the majority of organizations reporting these breaches.
- 66% of breaches took months to discover before any corrective action could begin.
There are three stages of an attack:
- Point of entry to compromise: how much time you have until you start to lose data. For about 70% of attacks, this stage is measured in hours or less.
- Compromise to discovery: how much time actually occurs before you notice. as noted, two-thirds of the events this stage this is measured in months. This percentage has been steadily increasing for the past two years.
- Discovery to containment: how much time it takes you to stop the loss after you discover it. For 63% of the events this stage is measured in days or less.
Once again, the Cloud was not implicated as a significant cause of any data breach. As the report states, “attacks against the virtualization technology were not present, but attacks against weakly configured devices that happened to be hosted in an external location were common—but not any more common than among internally-hosted ones.” At this point, the Cloud does not increase your risk of a data breach; but it doesn’t lower it either.
What about BYOD (bring your own device)? BYOD is the employee-driven, and often IT-fought, desire of employees to bring their own smart phones, tablets and laptops to work, especially when they are not physically in the office. The Verizon studies found only one breach involving BYOD in 2011 and a couple more in 2012. So far, anyway, BYOD does not appear to add significant risk.
For a subset of the data breaches, the report tracked where the data was when stolen. Two-thirds of the breaches stole data at rest from databases and servers. One-third was stolen from data in process by mechanisms like RAM scrapers, screen skimmers, and keyloggers that access data while it is a server or workstation’s memory, being typed on a keyboard, or displayed on a screen. No data was compromised as data in motion across internal networks or the Internet.
Three-quarters of the attacks were opportunistic. In these cases, the victim is not specifically chosen, but was attacked because the attacker had the ability to exploit a weakness the victim exhibited. Primarily, these opportunistic attacks were for financial gain.
But one-quarter of the attacks were targeted: the attacker choose the victim, then looked for weaknesses they could exploit. These targeted attacks were spread fairly evenly across all sizes of organizations and were almost exclusively to get information: intellectual property, government secrets, or to embarrass an organization.
“Some organizations will be a target regardless of what they do, but most become a target because of what they do. If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.”
Because of the variety of attacks ranged from targeting one-person businesses to targeting huge international companies and government organizations of all types, the appropriate mentality is to assume you have been breached. Does your security team take that view and constantly monitor and search for an on-going attack, or do they sit back and wait for someone to tell them you have been successfully attacked? The key is to be proactive.
The last word:
Of course, this excludes the largest potential source of a security breach: the U.S. Patriot Act. The U.S. government is monitoring all Internet and phone activity, including all emails and social media messages. While the U.S. government claims that the data is only used for anti-terrorism purposes, the government secretly defines what comes under the label of “anti-terrorism” to suit its own purposes. As the recent IRS episode again proves, those activities may be politically motivated. Worse, the U.S. government has demonstrated its inability to properly secure information that it holds.
“Secrecy is the keystone to all tyranny.” (Robert A Heinlein)
“They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” (Ben Franklin)
Keep your sense of humor.