Today Verizon released the 2011 Data Breach Investigations Report: our single best source of actual incident data in the security industry, based on comprehensive metrics gathered during hundreds of incident investigations.
In the coming weeks there won’t be any shortage of stories on, and analysis of, the DBIR. Rather than rehashing all the talking points we expect other sources to cover well, we will instead focus on actionable guidance based on the report. We will focus on how to read the DBIR, what it teaches us, and how should it change what you do.
How to read the DBIR
With so much data it’s all too easy to get lost in the numbers. It’s also very easy to lose context and misinterpret what’s in there. First let’s cover the four most important trends:
- The industrialization of attacks: There is an industry encompassing many actors, from coders to attackers to money launderers. They use automated tools and manage themselves and their operations as businesses – including use of independent contractors. Like any other business, these folks want to maximize profits and minimize risk, and the results of the 2011 DBIR show their work towards these goals – especially compared with the 2009 and 2010 DBIRs.
- Financial attacks focused on leveraged activities such as credit card skimming, point of sale attacks, and ACH fraud: This ties in with the first point: instead of spending massive resources for high risk/high gain (Gonzalez-style attacks), attackers are hammering the financial system’s weak points with significant automation to broaden scope and expand their scale.
- All forms of attack are up by all threat actors: If someone writes (or tweets) that APT is a myth or IP loss isn’t a problem based on this report, kick them in the nuts. Hard. Twice.
- Law enforcement really does catch some of the bad guys: 1,200 arrests over the past several years by the Secret Service alone. Many of these bad guys/gals attack small business. We could use more, given the scale of the problem, but law enforcement is having an impact.
I will add my own interpretation, which I have separated from the direct DBIR trends:
Successful financial attacks (more often than not) target smaller organizations, whereas complex IP (intellectual property) attacks focus (more often than not) on larger or specialized organizations. So for the first time we see a type of market segmentation by attackers. Using automated systems against weak targets and riding the associated economies of scale can be very lucrative, and it’s not surprising to see these targets multiply. But that doesn’t mean bigger companies, more sophisticated about security, are in the clear. We also see an increase in sophisticated attacks focusing on IP, although these numbers are not as obvious in the DBIR data.
And now highlights and where to focus your reading, in no particular order:
- There was a large increase in the number of incidents investigated in 2010. Even accounting for sampling bias, this is still significant. 141 breaches were evaluated in 2009, and 761 in 2010. Yes, sports fans, that’s a 5x multiple. Such a massive increase skews the trend data, so you need to understand that percentage increases and decreases may obscure important information. For example, there was a significant decline in the percentage of attacks involving SQL injection, yet the actual quantity of reported SQL injection attacks actually increased dramatically.
- There are more small and medium businesses in the world than large ones. So we should see more attacks against them, and the data skews in that direction this year.
- As stated clearly in the report and in our briefing, the increased number of incidents is mostly due to massive growth in two attack forms: compromise of remote management tools for point of sale (POS) systems in hospitality and retail, and ATM and credit card skimmers (including employees using handheld skimmers). This data came from the Secret Service and we don’t know if it is means the bad guys have found a new focus, or the Secret Service is paying more attention to these attacks. Either way, the increase is significant. Anecdotal evidence from other sources does seem to indicate attackers are increasingly focused on these areas, especially against smaller companies and outlets.
- Most of the headlines will focus on the massive drop in lost records from 361 million in 2008, to 144 million in 2009, to 4 million in 2010. You should mostly ignore this. The large numbers were highly likely due to a small number of incidents involving massive quantities of records. As the DBIR itself states, Albert Gonzales alone was responsible for tens (possibly hundreds) of millions of records lost over this time period. Pull out those few distorting large campaigns, and the general trend in lost records evens out. The trend shows more bad guys hitting smaller targets. Your risk of being attacked successfully is greater if you are in a targeted industry, such as hospitality and retail.
- Each incidence of lost intellectual property was typically counted as a single lost record. So IP theft is inherently ranked much lower in studies like the DBIR than credit card breaches, which always involve more records per incident. But the F-14’s avionics schematics probably command a slightly higher value than a single credit card…
- The VERIS framework used to collect the data uses a multiple-select system. So if 5 attack methods were used in an single attack, each method is counted. They try to make this clear in the report and don’t misinterpret these findings like most of the armchair analysts (including vendors pushing their own agendas) probably will. For example, SQL injection dropped considerably as an overall percentage of attacks… but if you normalize the data to factor in the large number of skimmers and remote management breaches, injection probably climbs back to the top 3.
- Figure 6 on page 15 is the most important in the entire report. It shows that most attacks involve hacking and malware against user devices. Network sniffing is barely a blip. Physical attacks are also a major vector (mostly skimming, according to our briefing and the report), but as we have always said, users are the weakest link and this data corroborates that.
- Page 35 is the next most important. It shows the attack pathways, and these are the chains you want to break. Remote access, web applications, and network file sharing are the top 3 attack paths. For remote access, screen sharing is the most common attack vector. This information needs to factor into your security and controls strategy.
- All the data is good, but not all of it will be relevant to you. In particular, operational IT administrators should focus on the parts that matter to them. Read the report with your industry in mind and apply the data and analysis to your specific situation. Assess whether the attack methods currently in use apply for you. This provides direct data to focus efforts to improve outcomes, and to justify new projects or support funding increases.
All the data is excellent, and Wade, Alex, and the rest of the Verizon team did an amazing job of providing context and background. So tip your hat to them. But with so much data you can still get lost, especially if you rely on press reports and vendor analyses. We recommend doing your own reading and interpretation of the data to make sure you get the full picture.
What to do
The DBIR represents the sort of data we should act on. It covers real incidents in the depth needed to help improve security. The report includes a series of recommendations, and here is our take, broken out by major industries (given the similarities between attacks within each vertical):
Hospitality, retail, and anyone with PoS systems
- If you use a service provider to manage your PoS, require use of a unique username and password for remote management. Really! Many of those folks use default usernames and passwords to gain access to back-end customer systems. Then again, if you are in that category, you probably aren’t reading this.
- Examine your physical locations for skimmers.
- Focus on the basics, and remember PCI is your friend. Sure we security folks beat on it, but it clearly represents basic security, which reduces the odds of a successful automated attack.
- Antivirus sucks, but it will still stop 40% of the attacks. Might as well keep it up to date. And who says we hate AV?
Other small businesses
- Your greatest risk is ACH fraud because that’s where your money is. So monitor your bank accounts, and set tight authorization requirements for automated transactions. You want the bank to call if money starts moving out of your account (even if it is you moving it).
- Dedicate a separate system for financial transactions. Don’t use that system for email or web browsing.
- On the systems you use for email and web browsing, use a content filtering service. An anti-spam service is a no-brainer, but given that many of the attacks involve drive-by downloads and the like, we also recommend considering a web filtering service.
- Skimming is up, which creates problems because physically securing all your ATMs isn’t very realistic. Do your best with employee and customer education and inspections.
- Use egress filtering to detect and possibly prevent data exfiltration.
- Keep doing everything else you’re doing, since it seems to be helping.
- Implement whitelisting on fixed function transaction systems to reduce malware and prevent RAM scrapers.
- Don’t just count on encrypted network connections – the attacks have moved.
- If you are a coveted target (meaning you have intellectual property interesting to APT attackers), you face determined attackers with resources. Egress filtering and extensive monitoring/full network packet capture are your best defenses. (We are reading between the lines here, based on the context and commentary in the report, because this category is ‘obscured’ by the large volume of data).
- Did we mention monitoring everything? At minimum, implement a full packet capture sandwich and then monitor some more.
We could spend weeks looking over this data, and I hope the Verizon team will have the opportunity to filter and slice it for different audiences, because this is a treasure trove of actionable information for lots of different industries and company sizes. With information like this, we can focus on outcomes-based security, closing holes we know bad guys successfully using. Yes, it’s reactive, but by now we should know it’s all about Reacting Faster and Better.