Research

Today Verizon released the 2011 Data Breach Investigations Report: our single best source of actual incident data in the security industry, based on comprehensive metrics gathered during hundreds of incident investigations. In the coming weeks there won’t be any shortage of stories on, and analysis of, the DBIR. Rather than rehashing all the talking points we expect other sources to cover well, we will instead focus on actionable guidance based on the report. We will focus on how to read the DBIR, what it teaches us, and how should it change what you do. How to read the DBIR With so much data it’s all too easy to get lost in the numbers. It’s also very easy to lose context and misinterpret what’s in there. First let’s cover the four most important trends: The industrialization of attacks: There is an industry encompassing many actors, from coders to attackers to money launderers. They use automated tools and manage themselves and their operations as businesses – including use of independent contractors. Like any other business, these folks want to maximize profits and minimize risk, and the results of the 2011 DBIR show their work towards these goals – especially compared with the 2009 and 2010 DBIRs. Financial attacks focused on leveraged activities such as credit card skimming, point of sale attacks, and ACH fraud: This ties in with the first point: instead of spending massive resources for high risk/high gain (Gonzalez-style attacks), attackers are hammering the financial system’s weak points with significant automation to broaden scope and expand their scale. All forms of attack are up by all threat actors: If someone writes (or tweets) that APT is a myth or IP loss isn’t a problem based on this report, kick them in the nuts. Hard. Twice. Law enforcement really does catch some of the bad guys: 1,200 arrests over the past several years by the Secret Service alone. Many of these bad guys/gals attack small business. We could use more, given the scale of the problem, but law enforcement is having an impact. I will add my own interpretation, which I have separated from the direct DBIR trends: Successful financial attacks (more often than not) target smaller organizations, whereas complex IP (intellectual property) attacks focus (more often than not) on larger or specialized organizations. So for the first time we see a type of market segmentation by attackers. Using automated systems against weak targets and riding the associated economies of scale can be very lucrative, and it’s not surprising to see these targets multiply. But that doesn’t mean bigger companies, more sophisticated about security, are in the clear. We also see an increase in sophisticated attacks focusing on IP, although these numbers are not as obvious in the DBIR data. And now highlights and where to focus your reading, in no particular order: There was a large increase in the number of incidents investigated in 2010. Even accounting for sampling bias, this is still significant. 141 breaches were evaluated in 2009, and 761 in 2010. Yes, sports fans, that’s a 5x multiple. Such a massive increase skews the trend data, so you need to understand that percentage increases and decreases may obscure important information. For example, there was a significant decline in the percentage of attacks involving SQL injection, yet the actual quantity of reported SQL injection attacks actually increased dramatically. There are more small and medium businesses in the world than large ones. So we should see more attacks against them, and the data skews in that direction this year. As stated clearly in the report and in our briefing, the increased number of incidents is mostly due to massive growth in two attack forms: compromise of remote management tools for point of sale (POS) systems in hospitality and retail, and ATM and credit card skimmers (including employees using handheld skimmers). This data came from the Secret Service and we don’t know if it is means the bad guys have found a new focus, or the Secret Service is paying more attention to these attacks. Either way, the increase is significant. Anecdotal evidence from other sources does seem to indicate attackers are increasingly focused on these areas, especially against smaller companies and outlets. Most of the headlines will focus on the massive drop in lost records from 361 million in 2008, to 144 million in 2009, to 4 million in 2010. You should mostly ignore this. The large numbers were highly likely due to a small number of incidents involving massive quantities of records. As the DBIR itself states, Albert Gonzales alone was responsible for tens (possibly hundreds) of millions of records lost over this time period. Pull out those few distorting large campaigns, and the general trend in lost records evens out. The trend shows more bad guys hitting smaller targets. Your risk of being attacked successfully is greater if you are in a targeted industry, such as hospitality and retail. Each incidence of lost intellectual property was typically counted as a single lost record. So IP theft is inherently ranked much lower in studies like the DBIR than credit card breaches, which always involve more records per incident. But the F-14’s avionics schematics probably command a slightly higher value than a single credit card… The VERIS framework used to collect the data uses a multiple-select system. So if 5 attack methods were used in an single attack, each method is counted. They try to make this clear in the report and don’t misinterpret these findings like most of the armchair analysts (including vendors pushing their own agendas) probably will. For example, SQL injection dropped considerably as an overall percentage of attacks… but if you normalize the data to factor in the large number of skimmers and remote management breaches, injection probably climbs back to the top 3. Figure 6 on page 15 is the most important in the entire report. It shows that most attacks involve hacking and malware against user devices. Network sniffing is barely a blip. Physical attacks are also a major vector (mostly skimming, according to our briefing and the report), but

In a world full of TLAs (three letter acronyms), none resonates for security people as strongly as FUD. Or Fear, Uncertainty, and Doubt for you n00bs. Many of us rail at the offensive use of FUD in security sales. But let’s take a step back and acknowledge that security is like insurance. With very rare exceptions, security doesn’t help anyone sell more stuff. It doesn’t really help companies operate more efficiently. It’s basically about controlling downside risk. So it’s like insurance. You don’t buy health insurance because you want to. It doesn’t add anything to your life. It prevents you from going belly up if you have some catastrophic issue. It can maybe cut your medical bills if you are chronically ill or injury prone. But clearly you buy insurance because you feel you need to, not because you want to. Insurance brokers (at least all those I’ve dealt with) also leverage FUD in their sales cycle. They paint the picture of downside risk, which always involves preying on some fear of getting hurt, sick, etc. If I had a crystal ball and knew I (or anyone in my family) wouldn’t get sick, I’d drop health insurance like a hot potato. And your senior management is in exactly the same boat. If they thought there was no risk of losing protected data or intellectual property, you’d be out on your ass. So there will always be some level of FUD in our activities as security folks. I talked about using FUD as an end user a few years back, as well as more recently. So there can be legitimate uses of FUD to create urgency and provide a catalyst for funding. But let’s stay focused on security vendors using FUD to get you to buy their stuff. I realize it’s part of the game and I have accepted that. I don’t like it, but I accept it. But that doesn’t mean all FUD is created equal. So let’s attempt to break FUD down into a couple categories and (with your help) understand the impact of each type of FUD on the sales cycle. In this post, I’ll break down the categories of FUD we see most frequently. I started this discussion last week on Twitter, and got some great feedback. Hopefully we’ll get some more feedback on the blog (You! Yes, you! Get over to the blog and add some comments!) and come to some consensus about which kinds of FUD are common in practice. Then we’ll put together a survey to see if we can get some level of understanding about what is acceptable FUD vs. unacceptable. Dare I say it – maybe even useful FUD. In a perfect world, all our friends in the vendor community would take this feedback to heart and stop slinging bad FUD. Oy, such optimism. So here goes (in no particular order): Attack du jour press release: You know what I’m talking about here because these press releases show up in your inbox just about every day. This is the “you can stop StuxNet with our box” type release, where the vendor is trying to capitalize on some external event to get you to answer the phone. Similar to getting a call for travel insurance just after an airliner goes down. Threat reports: Almost every vendor has some kind of research capability now, so these reports basically list out which attacks and/or vulnerabilities they are seeing. Maybe they throw in some trend analysis as well. The idea is to keep your attention on common attacks, which are then addressed by the vendor’s widget or service. Breach reports: These reports are different from threat reports in that the objective is to actually study breaches – in an attempt to pinpoint both the breach’s impact and root causes. With this analysis a vendor/service provider hopes to educate potential customers on what causes breaches and how to address the risks (hopefully with their own products/services). Of course, the Verizon Data Breach report is the granddaddy of this kind of analysis. Check out Rich’s analysis of the 2010 report. Vendor surveys/peer group FUD: If you are a CISO, you get probably a dozen calls/emails a week to fill out one survey or another. Do you do this? Have you suffered from that? The vendors and researchers (like Ponemon) then assemble the data to build a case about what the masses are doing, or more likely aren’t doing. James McGovern accurately called this peer group FUD because it tries to trigger action by pointing out that either buddies friends are (or aren’t) doing something specific, and therefore you should. This also applies to the Security Benchmarking research I’m doing right now. Making security/compliance easy: One of my personal favorites: you still see vendors market events and position products with promises that using their gear will make either security or compliance (or both!) easy. And if you aren’t using their gear, your life is unnecessarily hard. Sponsored lab tests: You tend to see this kind of FUD during the sales cycle, when a vendor tries to convince you they are great and the competitor is crap, because the vendor paid some guy in a lab to run a test to which demonstrated something attractive about the vendor’s product or service. Some publications also run lab tests which straddle the line. It’s rare for money to directly change hands, but there can be backroom ad-buying hijinx. Our legal budget is rather limited so I won’t name names – these folks tend to be rather litigious – but you know who I’m talking about. Competitor sniping: Don’t you love it when vendors come in, and spend more time talking about why their competitors suck than about why they are good and how they can help you? Yeah, I hate that too. That’s competitor sniping in all its seedy glory. Cost of breach/attack analysis: We also see folks (like Larry Ponemon) who have built great businesses doing more targeted surveys, trying to understand what these security/compliance/breach issues actually cost companies. Clearly the idea is to derive an objective number that you (the practitioner) can use internally to talk about how bad it would be if something unfortunate were to happen. Yes, this