Drop in hacked records points to craftier attacks, not better security

Verizon's 2011 Data Breach Report finds far fewer compromised records, but the rise in APTs could be the reason

Verizon Business has released its 2011 Verizon Data Breach Report [PDF], and it's brimming with interesting statistics that are well worth a closer look by any security-minded IT worker. Among its findings: The total number of compromised records has dropped substantially over the past couple of years, but not because organizations have come up with a superior recipe for defending their networks.

As background, the annual Verizon Data Breach Report is quickly becoming one of the most influential computer crime reports in the industry. One of its big benefits is that it is collated from actual hacking incidents and doesn't rely on inexact computer surveys, voluntary company reporting, or human kindness. The findings in the report are taken from organizations in the midst of a malicious hacking event. Verizon has previously partnered with U.S. Secret Service, and it added cases from the Dutch National High Tech Crime Unit for this year's report. All together, the three agencies tracked about 800 new data compromise incidents.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

The reported drop in total number of compromised records from 361 million individual compromised records in 2008 to just 4 million last year doesn't surprise me for two reasons. First, attackers are continually employing more focused forms of attack, looking for company intellectual property and financial data (to accomplish high-value bank transfers). Phishers and credit card fraudsters are looking for credit card information to resell for a few dollars per record. Today's APT (advanced persistent threat) attacks are aimed at taking over entire companies. At that level, individual data records just aren't that interesting.

Second, it might have been a statistical anomaly that the three organizations used in the report were not targeted by as many high-volume cases as were organizations in previous year. For example, the recent Epsilon data breach alone likely involved millions to tens of millions of records. Consult on a few Epsilon-scale cases and the record count goes up real fast.

Still, Verizon might be on to something. My favorite encompassing public data breach database, hosted by the Privacy Rights Clearinghouse, isn't throwing up huge numbers for 2010 as it did the previous years. A better metric would be total overall damage versus number of records, which some of the reports from other vendors do a better job reporting. Check out the CSI Computer Crime and Security Survey, for example. I think higher instances of APTs last year would have significantly pushed up the overall damage figures.

The Verizon report points to several other very interesting statistics. Some of my favorites include:

  • The average time from compromise to data breach was minutes to days, not weeks or months (see report Figure 37).
  • The average time between compromise and the victim discovering it was weeks to months.
  • The average time from discovery to containment was weeks to months as well, including 2 percent that took years to never. I suspect this latter stat is far higher in the real world.
  • Eighty-six percent of the time, the breach was discovered and reported to the victim by a third party (see report Figure 39), even though the breach probably could have easily been found by the victim if he or she had deployed normal detection systems. Sixty-nine percent of victims had event log evidence of the compromise (see report Figure 41).
  • Only 8 percent of attacks required a high level of complexity (see report Figure 34).
  • External agents were responsible for 92 percent of attacks and 99 percent of data breaches (see report Figures 7 and 12).
  • Insiders were involved in 16 percent of all cases; the crossover with the 92 percent external agent figure is due to collusion.
  • The role makeup among internal attackers was as follows: 85 percent were normal end-users, 22 percent were accounting or financial staff, 11 percent were management, and only 9 percent were IT related.

One thing hasn't changed over the years since the first report was issued: The number of incidents could have been detected early on but were not because the victims were not doing the fundamentals of IT security better. If I were an IT manager or security officer, I would focus on doing all the things we should have been doing for a decade or longer, better.

I strongly recommend that you download and read the report. It's chock-full of facts that should prove useful as you argue your case for better security to senior management.

This story, "Drop in hacked records points to craftier attacks, not better security," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.