Great article making the rounds today about a new report released by Verizon Business. The Verizon Business Risk Team put together a study on a large number of data breach incidents: 500 or so over a 4-year period. The report looks at nearly every aspect of data breaches to build some real statistical data on what is usually given as anecdotal data about breaches. The report looks at what methods were used to gain access to the organization, who found out about the breach first, whether the threat could have been mitigated, the origin of the attacks, what sort of data was taken after gaining access, whether the attackers used anti-forensics techniques and more. Really a great report.
A synopsis of the report is available at the Verizon Business website. The full 29-page report (PDF) is available as well.
The report is pretty short, and also packed with colorful graphs and charts, so is well worth the read, but I want to point out a couple interesting findings.
Source of Attacks
73% of attacks came from External sources (that is, external to the organization that was compromised), while only 18% originated from insiders. 39% of breaches came from partner networks. So, according to the report, a data breach incident is considerably more likely to occur from an external source than from the employees, or other trusted individuals, within your own company. A number of analysts have been pushing that insider threats may be considerably more likely to happen than external threats (mostly pointing to the level of access provided to insiders). Also useful to note, CERT's 2007 e-crime summary reached a similar conclusion. The e-crime summary is based on a survey sent to several hundred corporations (in this case 671), and their results were that 58% of breaches came from outsiders, 26% came from insiders and 17% were simply unknown. Both reports also reached the same conclusion about the damage caused by various sources: while external attacks are considerably more prevalent, insider attacks are considerably more damaging.
The Verizon report looked at the "number of records" compromised to determine the severity of a breach. In their analysis, and these numbers are median, external breaches resulted in the compromise of 30,000 records, while insider breaches resulted in 375,000 records. Insider breaches resulted in the loss of over 12 times more records. The Verizon report also does some simple risk analysis and after factoring in the likelihood of an attack and the damage caused by the attack (likelihood x impact) determines that the risk of an attack caused by outsiders is 21,900 and the risk of an attack by insiders is 67,500.
So, interestingly, due to the hugely disproportionate amount of damage caused by insiders, the insider threat is over 3 times as much as the outsider threat. So while the chances of a given breach being caused by insiders is only 1 in 5, a considerably amount of your energy still needs to be devoted to managing insider threats, even though the vast majority of attacks will be coming from the outside.
Sources of Attack
The report breaks down the cause of the data breaches into 7 categories: Malcode, Hacking, Deceit, Misuse, Physical, Error and Environmental. The environmental breaches were things like a storm caused systems to reboot and settings were lost, allowing attackers to get in (and accounted for 0.4% of the cases in the study). The rest of the numbers in the study overwhelmingly follow the trends that everyone has been talking about. Malcode (malicious code, or malware) was responsible for 31% of the breaches, while hacking was responsible for 59%. The most interesting number in this part of the report is something that any security person will tell you is one of the first things to look for: errors. Errors in this case can be a lot of things: misconfigurations, extra user accounts, default or blank passwords, etc. The report says that errors were a direct cause of breach in 3% of the cases, but were a contributing factor in 62%.
One would hope that these kind of misconfigurations would get picked up in routine penetration testing or vulnerability scanning, but the report doesn't go into the preparedness of the organizations at the time of the breach. The report also mentions that, while hacking is a huge source of breaches, vulnerabilities (both known and unknown) made up less than 25% of the hacking incidents. So, while the threat of a 0-day vulnerability taking over a large number of servers is always present, during the period of the study it wasn't all that significant.
Unknown Unknowns
Another common discussion among pen testers is the fact that large networks are inherently difficult to manage, simply due to their scale. Too many systems, too many uers, too many requests, too little time. The study points this out, as well. A great set of bullet points from the study:
Nine out of 10 data breaches involved one of the following:
- A system unknown to the organization (or business group affected )
- A system storing data that the organization did not know existed on that system
- A system that had unknown network connections or accessibility
- A system that had unknown accounts or privileges
We refer to these recurring situations as "unknown unknowns" and they appear to be the Achilles heel in the data protection efforts of every organization - regardless of industry, size, location, or overall security posture.
The report finishes up with a couple conclusions and a list of recommendations:
- Align process with policy
- Achieve "essential" then worry about "excellent"
- Secure business partner connections
- Create a data retention plan
- Control data with transaction zones
- Monitor log events
- Create an incident response plan
- Increase awareness
- Engage in mock incident testing
Emphasis mine. Odd, engage in mock incident testing to ensure that you're operating efficiently and employees know what to do in the event of strange system behavior? Seems a little deja-vu-esque...almost like I've hard that somewhere before...
Legally speaking, what is "reasonable security?" FTC punished TJX for not having it, but FTC was wrong. Verizon says 9 of 10 data breaches could have been avoided if "reasonable security" were present. That implies 9 in 10 breach victims were in violation of law. The study's outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates if reasonable security could have prevented a break-in, it does so with benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is "an extremely complex challenge." In other words, the sheer problem of locating data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon's reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
Posted by: Benjamin Wright | June 12, 2008 at 03:46 PM