Verizon just published their excellent 2012 Data Breach Investigations Report, and as usual, it’s full of statistical goodness.
(We will link to it once it’s formally released – we are writing this based on our preview copy).
As we did last year, we will focus on how to read the DBIR, what it teaches us, and how should it change what you do – we’ll leave the headline fodder for others to rehash.
If you happen to check back to our old post you might notice a bit of cut and paste, because once we reach the advice section, many things are unchanged since last year. I also decided to stick with the structure I used last year because it got a lot of positive feedback.
How to read the DBIR
Before jumping into the trends, there are five key points to keep in mind while reading the report (which covers 855 incidents):
- This is a breach report, not a generic cybercrime or attack report. The DBIR only includes data from incidents where data was stolen. If no data was exfiltrated it doesn’t count and was not included. All those LOIC attacks DDoSing your servers aren’t in here.
- Definitions matter. Throughout the DBIR the authors try to be extremely clear on how they define aspects of the data they analyze, such as direct vs. participatory factors. These are really important to understand.
- Know where the data comes from. The 2012 report includes data from 855 incidents investigated by Verizon, the US Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit of the London Metropolitan Police. In some places only Verizon data is used (and the authors are clear when they do this). There is definitely some sample bias, but that doesn’t reduce the value of this report in any way. For example, if we correlate these findings with the Mandiant M-Trends report (registration, unfortunately, required) we see consistency in trends. This is despite the differences in client base, focus, and investigative techniques.
- Verizon finally broke out large vs. small organizations. This was always my biggest wish, and for many of the numbers we can compare between organizations of more than 1,000 employees and smaller ones. (I actually consider 1,000 to be mid-sized, but it’s still a useful demarcation).
And now for my subjective interpretation of the top trends in the report:
- The industrialization of attacks continues: The majority of breaches targeted smaller organizations, used automated tools, and targeted credit cards. This doesn’t mean these were the most harmful breaches, but they certainly constituted the greatest volume.
- Hactivism and mega breaches are back, and target larger organizations: Of the 174 million records lost, 100 million were the result of hactivism against large organizations. This was only 21% of breaches against large organizations, but accounted for 61% of records lost.
- Larger organizations may be better at security, but still get breached: A variety of statistics through the report seem to show that large organizations are less prone to compromise by industrialized, automated attacks… but they are also more likely to be targeted by serious attackers.
- Remote services are the biggest vector for small organizations, and web applications for large ones: This is on page 32, and should set off alarm bells.
- Malware is everywhere: 61% of incidents involved malware + hacking, 69% of incidents included malware alone, but that accounted for 95% of lost records.
Here are some additional highlights and areas to pay special attention to, in no particular order:
- Ignore the massive increase in records lost. This is really hard to accurately quantify, and a few outliers always have a big impact. Besides, knowing how many records were lost doesn’t help you defend yourself in any way! Focus on the attack and defense trends, not the incident sizes. Besides, if anything, this trend is a regression to the mean (see page 45).
- Ignore the fact that 96% of breached organizations weren’t PCI compliant. Most of those were level 4 merchants. This shows a change in targets, not necessarily a change in the value (or lack thereof) of PCI.
- Outsourcers are a major contributing factor, especially for smaller organizations. There are endless low-end IT services companies, and very few of them appear to follow good security practices, even when PCI compliance is involved. Small businesses don’t run their own payment systems, and these are still being heavily compromised via poorly secured remote access software. I’m sure pcAnywhere being totally pwned had nothing to do with this 🙂
- Page 25 provides a good sense of how large organizations face a more diverse range of attacks. This is likely due to both being more targeted, and having better perimeter defenses against automated attacks. It’s hard to have an unsecured remote access server facing the Internet when you are required to get quarterly vulnerability scans (even cheap ones).
- Attackers always use the minimum effort necessary! If they don’t need to take a lot of time and burn an 0day, why bother? They don’t become bad guys because of a strong work ethic. So the breach statistics naturally skew towards simpler attack techniques. This is particularly important because big data sets like this don’t necessarily reflect either the defenses or attack techniques in sophisticated situations.
- Larger organizations are better at managing default passwords, but experience higher levels of phishing and credential compromises. This, again, makes a lot of sense. Smaller companies, especially those relying on service providers, are less likely to look for or have processes in place to manage default credentials. Since larger organizations tend to knock off this low-hanging fruit, the bad guys move up a level and focus on attacking the larger employee population to compromise credentials.
- Small organizations are more likely to be the direct victims of phone-based social engineering (page 33). I have personally received some of these calls and can see how someone could fall for it.
- Servers are compromised more often than endpoints (user devices), and when endpoints are compromised it’s to jump off and attack servers. Take a look at page 39, which also shows web and database servers are high on the list for larger organizations.
- Mobile is still an insignificant vector. Despite every so-called threat report making a big deal of it.
- Personally identifiable information is 95% of records lost, thanks to the mega breaches. But in terms of number of breaches, credit cards and account credentials are most often targeted. In other words most of you should focus on what’s most commonly lost and ignore the number of records lost, because those breaches are outliers.
- Large organizations are more prone to losing intellectual property, smaller organizations financial data. We have all been talking about this for a while, but the pretty picture on page 43 gives us some data to back it up. This also aligns with M-Trends and Trustwave’s reports.
- Smaller organizations are rarely directly targeted. This is actually very good news, because the “run faster than your hiking partner” strategy will work well for this group.
- Compromises take longer in large organizations, but barely. We see that 85% of the time it took seconds to minutes to compromise a small organization, but it’s only down to 71% of the time for large organizations. But in those large organizations, data is only exfiltrated in days 25% of the time. This means that a focus on detection can dramatically increase your chances of intercepting a breach before data is lost (for large organizations). Especially because page 50 shows that it takes most organizations days to months to discover a breach.
- While breaches are discovered by an external party in 92% of incidents overall, it’s still 49% of incidents for large organizations. Aren’t you glad you bought that SIEM? Now start looking at the damn reports! Verizon put in some really good log analysis advice on page 54.
- If you are a small business, follow the advice on page 62.
- Keyloggers are big!
- There’s a statistical easter egg in the report (aside from the cover crypto contest… at least I assume they have a cover contest again).
That’s a ton of notes, and I could probably go on all day. I can’t overstate the wealth of data in this report, and it is mandatory reading for any security professional.
What to do
The DBIR provides the sort of data we should act on. It covers real incidents in the depth necessary to help improve security. The report includes a series of recommendations, and here is our take, broken out by major industry (given the similarities between attacks within each vertical):
Hospitality, retail, and anyone with PoS systems
- If you use a service provider to manage your PoS, require use of a unique username and password for remote management. Really! Many of those folks use default usernames and passwords for access to back-end customer systems. Then again, if you are in that category, you probably aren’t reading this.
- Skimmers aren’t as big a deal this year but they are still out there, so keep looking for them.
- Focus on the basics, and remember PCI is your friend. Sure we security folks beat on it, but it clearly represents basic security, which reduces the odds of a successful automated attack.
- Antivirus sucks, but it will still stop a good percentage of attacks. Might as well keep it up to date. And who says we hate AV?
Other small businesses
- Your greatest risk is ACH fraud because that’s where your money is. So monitor your bank accounts and set tight authorization requirements for automated transactions. You want the bank to call if money starts moving out of your account (even if it is you moving it).
- Dedicate a separate system for financial transactions. Don’t use that system for email or web browsing.
- On the systems you use for email and web browsing, use a content filtering service. An anti-spam service is a no-brainer, but many successful attacks involve drive-by downloads and the like, so we also recommend considering a web filtering service.
- Use egress filtering to detect and hopefully prevent data exfiltration.
- Focus heavily on web-facing application servers.
- Malware is nearly always involved with breaches, so make sure you have antimalware on all servers (not consumer-grade AV).
- Keep doing everything else you’re doing, as it seems to be helping.
- Implement whitelisting on fixed function transaction systems to reduce malware.
- Don’t just count on encrypted network connections – the attacks have moved.
- You are most likely to be attacked via your web servers and phishing, in that order. This means application security should be a much higher priority than your next generation firewall, and two-factor authentication can really help and should be seriously considered for all servers.
- If you are a coveted target (meaning you have intellectual property interesting to APT attackers or activists), you face determined attackers with resources. Egress filtering and extensive monitoring/full network packet capture are your best defenses.
- Did we mention monitoring everything? At minimum, implement a full packet capture sandwich and then monitor some more.
With information like this, we can focus on outcomes-based security – closing holes we know bad guys are successfully using. Yes, it’s reactive, but by now we should know it’s all about Reacting Faster and Better.