Verizon's annual Data Breach Investigation Report is out today. The study is based on data analyzed from 285 million compromised records from 90 confirmed breaches. The financial sector accounted for 93 percent of all such records compromised in 2008, and 90 percent of these records involved groups identified by law enforcement as engaged in organized crime. Because this study is based on actual case data of confirmed data breaches and not on surveys or questionaires, the results are much more accurate and revealing.
This year’s key findings both support last year’s conclusions and provide new insights. These include:
• Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.
• Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.
• In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.
• Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications.
• Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.
• Being PCI-compliant is critically important. 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.
The 2009 study shows that simple actions, when done diligently and continually, can reap big benefits. Based on the combined findings of nearly 600 breaches involving more than a half-billion compromised records from 2004 to 2008, the team conducting the study recommends:
• Change Default Credentials. More criminals breached corporate assets through default credentials than any other single method in 2008. Therefore, it’s important to change user names and passwords on a regular basis, and to make sure any third-party vendors do so as well.
• Avoid Shared Credentials. Along with changing default credentials, organizations should ensure that passwords are unique and not shared among users or used on different systems. This was especially problematic for assets managed by a third party.
• Review User Accounts. Years of experience suggest that organizations review user accounts on a regular basis. The review should consist of a formal process to confirm that active accounts are valid, necessary, properly configured and given appropriate privileges.
• Employ Application Testing and Code Review. SQL injection attacks, cross-site scripting, authentication bypass and exploitation of session variables contributed to nearly half of the cases investigated that involved hacking. Web application testing has never been more important.
• Patch Comprehensively. All hacking and malware that exploited a vulnerability to compromise data were six months old, or older -- meaning that patching quickly isn’t the answer but patching completely and diligently is.
• Assure HR Uses Effective Termination Procedures. The credentials of recently terminated employees were used to carry out security compromises in several of the insider cases this year. Businesses should make sure formal and comprehensive employee-termination procedures are in place for disabling user accounts and removal of all access permissions.
• Enable Application Logs and Monitor. Attacks are moving up the computing structure to the application layer. Organizations should have a standard log-review policy that requires an organization to review such data beyond network, operating system and firewall logs to include remote access services, Web applications, databases and other critical applications.
• Define “Suspicious” and “Anomalous” (then look for whatever “it” is). The increasingly targeted and sophisticated attacks often occur to organizations storing large quantities of data valued by the criminal community. Organizations should be prepared to defend against and detect very determined, well-funded, skilled and targeted attacks.
Marcus H. Sachs
Director, SANS Internet Storm Center