How to Read and Act on the 2011 Verizon Data Breach Investigations Report (DBIR)

Today Verizon released the 2011 Data Breach Investigations Report: our single best source of actual incident data in the security industry, based on comprehensive metrics gathered during hundreds of incident investigations. In the coming weeks there won’t be any shortage of stories on, and analysis of, the DBIR. Rather than rehashing all the talking points we expect other sources to cover well, we will instead focus on actionable guidance based on the report. We will focus on how to read the DBIR, what it teaches us, and how should it change what you do. How to read the DBIR With so much data it’s all too easy to get lost in the numbers. It’s also very easy to lose context and misinterpret what’s in there. First let’s cover the four most important trends: The industrialization of attacks: There is an industry encompassing many actors, from coders to attackers to money launderers. They use automated tools and manage themselves and their operations as businesses – including use of independent contractors. Like any other business, these folks want to maximize profits and minimize risk, and the results of the 2011 DBIR show their work towards these goals – especially compared with the 2009 and 2010 DBIRs. Financial attacks focused on leveraged activities such as credit card skimming, point of sale attacks, and ACH fraud: This ties in with the first point: instead of spending massive resources for high risk/high gain (Gonzalez-style attacks), attackers are hammering the financial system’s weak points with significant automation to broaden scope and expand their scale. All forms of attack are up by all threat actors: If someone writes (or tweets) that APT is a myth or IP loss isn’t a problem based on this report, kick them in the nuts. Hard. Twice. Law enforcement really does catch some of the bad guys: 1,200 arrests over the past several years by the Secret Service alone. Many of these bad guys/gals attack small business. We could use more, given the scale of the problem, but law enforcement is having an impact. I will add my own interpretation, which I have separated from the direct DBIR trends: Successful financial attacks (more often than not) target smaller organizations, whereas complex IP (intellectual property) attacks focus (more often than not) on larger or specialized organizations. So for the first time we see a type of market segmentation by attackers. Using automated systems against weak targets and riding the associated economies of scale can be very lucrative, and it’s not surprising to see these targets multiply. But that doesn’t mean bigger companies, more sophisticated about security, are in the clear. We also see an increase in sophisticated attacks focusing on IP, although these numbers are not as obvious in the DBIR data. And now highlights and where to focus your reading, in no particular order: There was a large increase in the number of incidents investigated in 2010. Even accounting for sampling bias, this is still significant. 141 breaches were evaluated in 2009, and 761 in 2010. Yes, sports fans, that’s a 5x multiple. Such a massive increase skews the trend data, so you need to understand that percentage increases and decreases may obscure important information. For example, there was a significant decline in the percentage of attacks involving SQL injection, yet the actual quantity of reported SQL injection attacks actually increased dramatically. There are more small and medium businesses in the world than large ones. So we should see more attacks against them, and the data skews in that direction this year. As stated clearly in the report and in our briefing, the increased number of incidents is mostly due to massive growth in two attack forms: compromise of remote management tools for point of sale (POS) systems in hospitality and retail, and ATM and credit card skimmers (including employees using handheld skimmers). This data came from the Secret Service and we don’t know if it is means the bad guys have found a new focus, or the Secret Service is paying more attention to these attacks. Either way, the increase is significant. Anecdotal evidence from other sources does seem to indicate attackers are increasingly focused on these areas, especially against smaller companies and outlets. Most of the headlines will focus on the massive drop in lost records from 361 million in 2008, to 144 million in 2009, to 4 million in 2010. You should mostly ignore this. The large numbers were highly likely due to a small number of incidents involving massive quantities of records. As the DBIR itself states, Albert Gonzales alone was responsible for tens (possibly hundreds) of millions of records lost over this time period. Pull out those few distorting large campaigns, and the general trend in lost records evens out. The trend shows more bad guys hitting smaller targets. Your risk of being attacked successfully is greater if you are in a targeted industry, such as hospitality and retail. Each incidence of lost intellectual property was typically counted as a single lost record. So IP theft is inherently ranked much lower in studies like the DBIR than credit card breaches, which always involve more records per incident. But the F-14’s avionics schematics probably command a slightly higher value than a single credit card… The VERIS framework used to collect the data uses a multiple-select system. So if 5 attack methods were used in an single attack, each method is counted. They try to make this clear in the report and don’t misinterpret these findings like most of the armchair analysts (including vendors pushing their own agendas) probably will. For example, SQL injection dropped considerably as an overall percentage of attacks… but if you normalize the data to factor in the large number of skimmers and remote management breaches, injection probably climbs back to the top 3. Figure 6 on page 15 is the most important in the entire report. It shows that most attacks involve hacking and malware against user devices. Network sniffing is barely a blip. Physical attacks are also a major vector (mostly skimming, according to our briefing and the report), but

Read Post

Categorizing FUD

In a world full of TLAs (three letter acronyms), none resonates for security people as strongly as FUD. Or Fear, Uncertainty, and Doubt for you n00bs. Many of us rail at the offensive use of FUD in security sales. But let’s take a step back and acknowledge that security is like insurance. With very rare exceptions, security doesn’t help anyone sell more stuff. It doesn’t really help companies operate more efficiently. It’s basically about controlling downside risk. So it’s like insurance. You don’t buy health insurance because you want to. It doesn’t add anything to your life. It prevents you from going belly up if you have some catastrophic issue. It can maybe cut your medical bills if you are chronically ill or injury prone. But clearly you buy insurance because you feel you need to, not because you want to. Insurance brokers (at least all those I’ve dealt with) also leverage FUD in their sales cycle. They paint the picture of downside risk, which always involves preying on some fear of getting hurt, sick, etc. If I had a crystal ball and knew I (or anyone in my family) wouldn’t get sick, I’d drop health insurance like a hot potato. And your senior management is in exactly the same boat. If they thought there was no risk of losing protected data or intellectual property, you’d be out on your ass. So there will always be some level of FUD in our activities as security folks. I talked about using FUD as an end user a few years back, as well as more recently. So there can be legitimate uses of FUD to create urgency and provide a catalyst for funding. But let’s stay focused on security vendors using FUD to get you to buy their stuff. I realize it’s part of the game and I have accepted that. I don’t like it, but I accept it. But that doesn’t mean all FUD is created equal. So let’s attempt to break FUD down into a couple categories and (with your help) understand the impact of each type of FUD on the sales cycle. In this post, I’ll break down the categories of FUD we see most frequently. I started this discussion last week on Twitter, and got some great feedback. Hopefully we’ll get some more feedback on the blog (You! Yes, you! Get over to the blog and add some comments!) and come to some consensus about which kinds of FUD are common in practice. Then we’ll put together a survey to see if we can get some level of understanding about what is acceptable FUD vs. unacceptable. Dare I say it – maybe even useful FUD. In a perfect world, all our friends in the vendor community would take this feedback to heart and stop slinging bad FUD. Oy, such optimism. So here goes (in no particular order): Attack du jour press release: You know what I’m talking about here because these press releases show up in your inbox just about every day. This is the “you can stop StuxNet with our box” type release, where the vendor is trying to capitalize on some external event to get you to answer the phone. Similar to getting a call for travel insurance just after an airliner goes down. Threat reports: Almost every vendor has some kind of research capability now, so these reports basically list out which attacks and/or vulnerabilities they are seeing. Maybe they throw in some trend analysis as well. The idea is to keep your attention on common attacks, which are then addressed by the vendor’s widget or service. Breach reports: These reports are different from threat reports in that the objective is to actually study breaches – in an attempt to pinpoint both the breach’s impact and root causes. With this analysis a vendor/service provider hopes to educate potential customers on what causes breaches and how to address the risks (hopefully with their own products/services). Of course, the Verizon Data Breach report is the granddaddy of this kind of analysis. Check out Rich’s analysis of the 2010 report. Vendor surveys/peer group FUD: If you are a CISO, you get probably a dozen calls/emails a week to fill out one survey or another. Do you do this? Have you suffered from that? The vendors and researchers (like Ponemon) then assemble the data to build a case about what the masses are doing, or more likely aren’t doing. James McGovern accurately called this peer group FUD because it tries to trigger action by pointing out that either buddies friends are (or aren’t) doing something specific, and therefore you should. This also applies to the Security Benchmarking research I’m doing right now. Making security/compliance easy: One of my personal favorites: you still see vendors market events and position products with promises that using their gear will make either security or compliance (or both!) easy. And if you aren’t using their gear, your life is unnecessarily hard. Sponsored lab tests: You tend to see this kind of FUD during the sales cycle, when a vendor tries to convince you they are great and the competitor is crap, because the vendor paid some guy in a lab to run a test to which demonstrated something attractive about the vendor’s product or service. Some publications also run lab tests which straddle the line. It’s rare for money to directly change hands, but there can be backroom ad-buying hijinx. Our legal budget is rather limited so I won’t name names – these folks tend to be rather litigious – but you know who I’m talking about. Competitor sniping: Don’t you love it when vendors come in, and spend more time talking about why their competitors suck than about why they are good and how they can help you? Yeah, I hate that too. That’s competitor sniping in all its seedy glory. Cost of breach/attack analysis: We also see folks (like Larry Ponemon) who have built great businesses doing more targeted surveys, trying to understand what these security/compliance/breach issues actually cost companies. Clearly the idea is to derive an objective number that you (the practitioner) can use internally to talk about how bad it would be if something unfortunate were to happen. Yes, this

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.