Unplug Everything!

Just kidding…partially. Have you seen the latest 2011 Verizon Data Breach Investigations Report? It is chock full of data about breaches, vulnerabilities, industry demographics, threats and all the other internet security terms that make the headlines. It is an interesting view into cybercrime and like last year, there is also information and analysis from the US Secret Service, who arrested more than 1200 cybercrime suspects in 2010. One very interesting note from the Executive Summary is that while the total number of records compromised has steadily gone down – ‘08: 361 million, ‘09: 144 million, ‘10: 4 million – the case loads for cybercrime is at an all time high – 141 breaches in 2009 to a whopping 760 in 2010. One reason may be is that the criminals themselves are doing the time-honored ‘risk vs. reward’ scenario when determining their bounty. Hey, just like the security pros! Oh yeah….the crooks are pros too. Rather than going after the huge financial institutions in one fell swoop or mega-breach, they are attempting many more low risk type intrusions against restaurants, hotels and smaller retailers. Hospitality is back on the top of the list this year, followed by retail. Financial services round out pole position, but as noted, the criminals will always have their eye on our money. Riff-raff also focused more on grabbing intellectual property rather than credit card numbers.

The Highlights:

The majority of breaches, 96%, were avoidable through simple or intermediate controls; if only someone decided to prevent them.
89% of companies breached are still not PCI compliant today, let alone when they were breached.
External attacks exploded in 2010, and now account for the vast majority at 92% and over 99% of the lost records.
83% of victims were targets of opportunity. Most attacks are opportunistic, with criminal rings relying on automation to discover susceptible systems for them.
Most breaches aren’t discovered for weeks to months, and most breaches, 86%, are discovered by third-parties, not internal security teams.
Malware and ‘hacking’ are the top two threat actions by percentage of breaches, 50%/49% respectively, along with tops in percentage of records 89%/79%. Misuse, a strong contender last year, went down in 2010.
Within malware, sending data to an external source, installing backdoors and key logger functions were the most common types and all increased in 2010.
92% of the attacks were not that difficult.

You may ask, ‘what about mobile devices?’ since those are a often touted avenue of data loss. The Data Breach Report says that data loss from mobile devices are rarely part of their case load since they typically investigate deliberate breaches and compromises rather than accidental data loss. Plus, they focus on confirmed incidents of data compromise. Another question might have to do with Cloud Computing breaches. Here they answer, ‘No, not really,’ to question of whether the cloud factors into the breaches they investigate. They say that it is more about giving up control of the systems and the associated risk than any cloud technology.

Now comes word that subscribers of Sony’s PlayStation Network have had their personal information stolen. I wonder how this, and the other high profile attacks this year will alter the Data Breach Report next year. I’ve written about this type of exposure and felt it was only a matter of time before something like this occurred. Gamers are frantic about this latest intrusion but if you are connected to the internet in any way shape or form, there are risks involved. We used to joke years ago that the only way to be safe from attacks was to unplug the computers from the net. With the way things are going, the punch line is not so funny anymore.

Resources:

Published Apr 27, 2011

Version 1.0