How and Wow: Verizon’s Tactical Survey of Global Data Breaches
By Annie C. Bai, CIPP/US
The Verizon 2013 Data Breach Investigations Report is the sixth-annual survey of data security incidents by the American telecommunications giant. Based on data provided by international law enforcement, research institutions and private forensic, investigatory and response companies, the Verizon RISK team has analyzed more than 47,000 data security incidents, including 621 confirmed data breaches. The data were drawn from victims in 27 different countries.
Peppered by colorful language about miscreants, bandits, activists and international intrigue, the report is really about providing useful quantification and perspective. The who, what, why and how of data breaches reveal general trends and commonalities that can be harnessed to improve best practices. Notably, nearly all perpetrators are outsiders; financial gain is the most prominent motive; underlying motive correlates highly with country of origin of attacks; access weaknesses are high and unjustifiable, and breaches are not being self-detected or with much alacrity. With this knowledge in hand, companies can immediately address the trending weaknesses highlighted in the report.
Data Breach Targets
The report confirms that all organizations, public and private, large through small, are susceptible to data attacks. The sector analysis shows that the targets of 2012 data incidents were 37 percent financial organizations; 24 percent retail and restaurants, 20 percent manufacturing, transportation and utilities, and 20 percent information and professional firms. Finance is highly susceptible to physical campaigns (ATM skimming), but retail leads the number of network intrusions. All sizes of organizations were affected; 38 percent of breached organizations were large—1000 or more employees. Small companies are just as vulnerable to espionage campaigns as multinational corporations. There is a correlation between industry sector and methods of attack that pivots on the desired data. Hence, companies with more intellectual property assets are the targets for cyber espionage, whereas the retail and food services industries are targets for pecuniary theft but not espionage.
Data Breach Threat Actors
An overwhelming 92 percent of breaches were perpetrated by outside actors. Organizations with more employees did not see more significant insider-instigated breaches. Internal actors were mostly motivated by financial gain. External actors are as expected: Over half of all external breaches stemmed from organized crime. For the first time, the second greatest source of threat is state-affiliated action.
The report finds a “fascinatingly apparent” correlation between the motive for and the country of origin of an attack—ascertained in over 75 percent of the breaches. The majority of attacks for financial gain stemmed from organized crime out of the United States or Eastern Europe. These profiteers target laptops, desktops and file, mail or directory servers. Nearly all—96 percent—espionage cases came out of China. Western Europeans and North Americans have a predilection for hactivism, attacking web applications, databases and mail servers. The data were clear enough to allow the Report to profile external threat actors in some compelling tables.
Internal threat actors were responsible for 14 percent of the data breaches and were mostly deliberate, malicious and for financial gain. The most prolific actors are not high-level administrators but cashiers, waiters and others working directly in the payment chain. Responsible for 40 percent of overall insider breaches, and 60 percent of small-organization insider breaches, these employees both initiate and are solicited to skim payment cards and steal customer account data. Where administrators were implicated, their actions were inadvertent in eight out of 13 cases—definitely a target area for improvement here. Managerial and executive employees exiting an organization were prone to taking proprietary information with them—again, an easy area to improve policies. More than 70 percent of IP theft by insiders occurred within 30 days of an announcement of resignation.
Some of the findings upend popular assumptions about targeted assets. Computing may be the realm of the technically agile, but a great number of data breaches are not sophisticated by nature. Outside of ATMs, traditional hardware such as laptops, desktops and servers are still the most significant source of vulnerability. Forty-one percent of the incidents of misuse are due to unapproved hardware. Despite vocal concerns about third party applications and cloud computing, the action on the ground still centers on that darn lost laptop.
As for the vulnerability of data in transit, there were no such incidents. Two-thirds of the breaches involved data that was passively stored in databases and on file servers (“data at rest”); the other third affected data as it was being processed. Seventy-one percent of intrusions targeted user devices—a 10-plus percent increase from 2011—and 54 percent compromised servers, a 10-plus percent decrease from 2011.
Half of breaches involved some form of hacking, and 40 percent involved malware. Of the hacking exploits, 80 percent were authentication-based attacks, leading one to wonder why single-factor passwords are still in use.
Many threats use several means of attack, such as the malicious e-mail attachments that opened the way for nearly half of malware attacks. Physical ATM skimming and social engineering are on the rise. Social tactics saw a fourfold rise in related breaches and are increasingly popular for espionage attacks. Because successful targeted social engineering can bypass an entire corporate security system, the report recommends that corporations consider extending their IT security “into the living rooms of their CEOs.” Systemic weaknesses are implicated when you see that 76 percent of network intrusions are attributable to weak or stolen credentials.
Small retailers and restaurants should look to improve their basic IT for point-of-sales systems, because they are mostly attacked through weaknesses in remote administration services. Financial services faced an onslaught of ATM skimming campaigns bolstered by web application attacks. For manufacturing, engineering, consulting and IT service firms, more breaches stem from targeted social attacks that open the way for the installation of multifunctional malware on internal systems. Notably, three-quarters of breaches were accomplished through threat actions that the Verizon team rated as low or very low difficulty. This is attributed to the broad nets cast by financially motivated threat actors looking for easy targets, compared to acts of espionage, which are moderately difficult to execute.
The detection situation is not improving. More than 56 percent of breaches were not detected for over one month. Sixty-six percent of intrusions were not discovered for months. In particular, internal detection is low: 69 percent of breaches were detected by external parties, most of which were end users. This is a sign that companies should take user complaints about system performance more seriously. Leveraging third parties as fraud detectors can especially be a boon to smaller companies. All organizations can look to improve and support the “detection capability” of their existing human resources —from training bank employees to recognize skimmers to bolstering customer services representatives to inspiring cashiers to resist and report social engineering. In fact, the report suggests that an organization’s people can be readily transformed from the “weakest link” to its “greatest asset.”
The report concludes with solid suggestions for all companies:
- Eliminate unnecessary data; keep tabs on what’s left.
- Perform regular checks to ensure that essential controls are met.
- Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.
- Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs) that can greatly assist defense and detection.
- Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes and technology.
- Regularly measure things like “number of compromised systems” and “mean time to detection”, and use these numbers to drive better practices.
- Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security.
- Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of the intelligence and tools at your disposal.
This story was originally published in the Information Security Breaches & The Law Blog . It is reprinted here with permission.
Annie C. Bai, CIPP/US, is a graduate of NYU School of Law. She speaks on privacy law for Pace Law School's New Directions for Attorneys—a work reentry program to which she is indebted for helping her return to the law after years as a full-time parent. She tweets via @AnnieCBai and writes for the international blog www.security-breaches.com.
Read more by Annie C. Bai:
Apps Gone Wild? The FTC and California AG Seek To Rein In Mobile App Privacy Practices