Insider threats, social engineering and organized crime are some of the major causes of data breaches in the enterprise according to a 2010 Verizon Data Breach Investigation Report. The study was conducted by Verizon in collaboration with the U.S. Secret Service which allowed the company to cover data on close to 900 breaches and involved more than 900 million compromised records.
“This year we were able to significantly widen our window into the dynamic world of data breaches, granting us an even broader and deeper perspective,” said Peter Tippett, Verizon Business vice president of technology and enterprise innovation. “By including information from the Secret Service caseload, we are expanding both our understanding of cybercrime and our ability to stop breaches.”
Michael Merritt, Secret Service assistant director for investigations, said: “The Secret Service believes that building trusted partnerships between all levels of law enforcement, the private sector and academia has been a proven and successful model for facing the challenges of securing cyberspace. It is through our collaborative approach with established partnerships that the Secret Service is able to help expand the collective understanding of breaches and continue to augment our advanced detection and prevention efforts.”
Stolen identification credentials topped the list for method of breach into secure systems. 85% of data theft was conducted by organized criminal groups. The report found only 4% of attacks on systems required expensive and difficult protective measures, basic security protocols if followed correctly would have prevented a majority of the attacks.
The report emphasizes the need for being prepared and having a solid security policy in place to protect against data theft. 60% of breaches are still being discovered by third parties and after a long delay. Most organizations that are victims of these attacks have evidence in their logs, however, they are unable to audit their systems due to a lack of resources and appropriate tools.
Here are some key points from the report:
Most data breaches investigated were caused by external sources. 69% of breaches resulted from these sources, while only 11% were linked to business partners. 49% were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.
Many breaches involved privilege misuse. Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information. An additional 40% of breaches were the result of hacking, while 28 percent were due to social tactics and 14% to physical attacks.
Commonalities continue across breaches. As in previous years, nearly all data was breached from servers and online applications. 85% of the breaches were not considered highly difficult, and 87% of victims had evidence of the breach in their log files, yet missed it.
Meeting PCI-DSS compliance still critically important. 79% of victims subject to the PCI-DSS standard hadn’t achieved
compliance prior to the breach.
Additionally, the report points out that organizations are targeted regardless of the size and type of service provided. Financial services, hospitality and retail still comprise the “Big Three” of industries affected (33%, 23% and 15%, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon’s caseload. A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.
Here are some steps IT administrators can take for proactive defense against data theft in the enterprise:
Restrict and monitor privileged users. The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.
Watch for ‘Minor’ Policy Violations. The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies. Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
Implement Measures to Thwart Stolen Credentials. Keeping credential-capturing malware off systems is priority No. 1. Consider
two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
Monitor and Filter Outbound Traffic. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
Change Your Approach to Event Monitoring and Log Analysis. Almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes. Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.
Share Incident Information. An organization’s ability to fully protect itself is based on the information available to do so. Verizon believes the availability and sharing of information are crucial in the fight against cybercrime. We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.
A complete copy of the “2010 Data Breach Investigations Report” is now available.