Verizon's 2010 DBIR: Rise in Misuse, Malware and Social Engineering

The 2010 Verizon Data Breach Investigation Report reveals that malware, misuse, and social engineering jumped up considerably in the 143+ million compromised data records from breaches last year.

According to the 2010 Verizon Data Breach Investigations Report (DBIR), the overall number of data breaches declined in 2009. “The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime,” said Peter Tippett, Verizon Business vice president of technology and enterprise innovation. What has not changed is that servers and apps account for 98.5% of total records compromised.

The 2010 DBIR, based on a first-of-its kind collaboration with the U.S. Secret Service (USSS), has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups.  Tippett said, “By including information from the Secret Service caseload, we are expanding both our understanding of cybercrime, and our ability to stop breaches.” The combined data of Verizon and the Secret Service -- which investigates financial crimes --spans the last six years and covers 900+ breaches involving more than 900 million compromised records. "Misuse sits atop the list of threat actions leading to breaches in 2009. That’s not to say that Hacking and Malware have gone the way of the dinosaurs; they ranked #2 and #3 and were responsible for over 95% of all data comprised. Weak or stolen credentials, SQL injection, and data-capturing, customized malware continue to plague organizations trying to protect information assets. Cases involving the use of social tactics more than doubled and physical attacks like theft, tampering, and surveillance ticked up several notches." 

Threat action categories by percent of breaches and records are as follows: Malware (38% of breaches, 94% of records), Hacking (40% of breaches, 94% of records), Social (28% of breaches, 3% of records), Misuse (48% of breaches, 3% of records), Physical (15% of breaches, 1% of records), Error (2% of breaches, <1% of records), Environmental (0% of breaches, 0% of records).

 Key Findings of the 2010 Report  include: 69% of data breaches were caused by external sources, while only 11% were linked to business  partners. 49% were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.Privilege misuse played a big part in breaches. 48% of breaches were attributed to users that abused their right to access corporate information for malicious purposes.  Another 40% of breaches were the result of hacking, while 28% were due to social tactics, and 14% to physical attacks. As in previous years, nearly all data was breached from servers and online applications. 85% of the breaches were not considered highly difficult. A whopping 87% of victims had evidence of the breach in their log files, yet missed it. Most breaches were considered avoidable if security basics had been followed.  Only 4% of breaches required difficult and expensive protective measures. Organized criminal groups were responsible for 85% of all stolen data last year.

79% of victims subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.  

Given enough time, resources and inclination, criminals can breach virtually any single organization they choose but do not have adequate resources to breach all organizations. In the big breaches, the attacker hacks into the victim’s network (usually by exploiting some mistake or weakness) and installs malware on systems to collect (lots of) data. Stop adversaries before they own the box because it’s awfully hard to stop them once they have. 2009 showed a substantial upswing in malware. Verizon's graph below shows malware functionality by percent of breaches within malware and, in red, percent of records.

Inside jobs are not a myth.  Cybercriminals are skilled manipulators who persuade disgruntled system admins or those in financial trouble to sell their logons or VPN. Bryan Sartin, director of investigative response, Verizon Business, said, "Insiders always get caught." Social engineering tactics played a role in a much larger percentage (28% vs. 12% in 2008) of breaches. Social tactics employ deception, manipulation, intimidation, etc. to exploit the human element, or users, of information assets. Solicitation and bribery occurred more often than any of the other types of social tactics. According to the USSS, these are usually organized criminal groups who recruit, or even place insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score. The smaller end of these schemes often target cashiers at retail and hospitality establishments while the upper end are more prone to involve bank employees and the like. Other common social tactics observed in 2009 were phishing and pretexting.The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits. Actions Recommended for Enterprises include: Restrict and monitor privileged users. The data from the Secret Service, showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management. Watch for ‘Minor’ Policy Violations. The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective. Implement Measures to Thwart Stolen Credentials.  Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections. Monitor and Filter Outbound Traffic.  At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity. Change Your Approach to Event Monitoring and Log Analysis. Third party fraud detection is still the most common way breach victims come to know of their predicament, but almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes.  Organizations should make time to review more thoroughly batch processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.

Share Incident Information. An organization’s ability to fully protect itself is based on the information available to do so.  Verizon believes the availability and sharing of information are crucial in the fight against cybercrime.  We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.

Regarding logs, needles and haystacks, Verizon's Bryan Sartin said it's important for network admins to go over their logs to spot a breach, as often it's not needing to find the needle in the haystack, but simply the haystack. "We consistently find that nearly 90% of the time logs are available but discovery via log analysis remains under 5%. We often find what we’re looking for because of three major tip-offs: 1) abnormal increase in log data, 2) abnormal length of lines within logs, 3) absence of (or abnormal decrease in) log data. We’ve seen log entries increase by 500% following a breach. We’ve seen them completely disappear for months after the attacker turned off logging. We’ve noticed SQL injection and other attacks leave much longer lines within logs than standard activity. Those are more like haystacks than needles."A complete copy of the “2010 Data Breach Investigations Report” is available at http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf (image credits: Verizon 2010 DBIR)

Like this? Check out these other posts:

Follow me and all the other Microsoft Subnet bloggers on Twitter @microsoftsubnet

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!