Verizon report finds less shrewd attacks but more breaches
The number of data breaches nearly doubled in 2010 compared to the previous year, but the amount of stolen records decreased significantly, dropping from 144 million in 2009 to four million last year, according to the 2011 Verizon Data Breach Investigations Report, released Tuesday.
The report takes into account more than 760 breaches probed in 2010 by Verizon, the Secret Service and the National High Tech Crime Unit of the Netherlands Policy Agency, which provided an international caseload.
The seeming disparity between the low number of records exposed and the high number of actual incidents can be attributed to a shift in the cybercriminal landscape, Bryan Sartin, director of investigative response at Verizon and an author of the report, told SCMagazineUS.com.
Large-scale intrusions that compromised tens of millions of records, such as at Heartland Payment Systems and TJX, decreased in prevalence, thanks to convictions of their masterminds, such as Albert Gonzalez.
The cause of breaches
92% External attackers
17% Insiders, usually malicious
9% A combination
Source: 2011 Verizon Data Breach Investigations Report
But the number of breaches still increased, as less skilled criminals relied on automated tools to carry out easily perpetrated attacks against mostly small businesses, Sartin said. These attacks, however, yielded smaller amounts of data than Gonzalez' conquests did.
“We aren't dealing with the same organized, resourced hackers we saw in the past,” Sartin said. “It's increasingly disorganized crime that makes up the threat.”
According to the report, 61 percent of the 760 beaches investigated affected organizations with 11 to 100 employees.
That should serve as a wake-up call for organizations that may not think they are a viable target, Mike Lloyd, chief scientist for compliance and vulnerability management solutions provider Red Seal Systems, told SCMagazineUS.com on Tuesday.
“When attackers are using automated scripts, to a large extent, they don't care who you are,” he said. “They care about what you have, and they are coming for you.”
And while numerous breaches in recent months have been categorized as advanced persistent threats (APT), a name given to sophisticated and stealthy attacks often attributed to state-sponsored hackers in China, the majority of actual data loss incidents are far less menacing, Sartin said.
“It has become, in the U.S., very chic to blame your problems on the Chinese,” he said. “How do you defend against a nation-state? It sounds a lot better than a 17 year-old kid that lives in Belarus in his parent's basement.”
He said several breaches investigated last year by Verizon were publicly disclosed as an APT, but that didn't turn out to be the case.
Last's year's version of the report was notable for sounding the alarm on the insider threat. The 2010 study, the first time the Secret Service caseload was incorporated, found that 49 percent of the breaches implicated insiders, but that number fell to 17 percent this year. According to the report, that is more of an indication of "huge" increase in smaller, outside-in attacks than a drop in malicious insiders.
“2010 wasn't a success story in terms of improved security..."
– Jake Kouns, president of the Open Security Foundation
“2010 wasn't a success story in terms of improved security, that's a fact, but breaches tended to be smaller in nature,” said Jake Kouns, co-founder and president of the Open Security Foundation, which oversees the DataLossDB, which also tracks data breach incidents. “Even a smaller breach can really cause a massive impact. It doesn't need to [involve] millions of records to impact an organization or consumer.”
Enterprises often make the mistake of achieving a high level of security in certain areas, while completely neglecting others, according to the report. Instead, organizations should focus on eliminating unnecessary data, then identify a set of essential controls and implement them across the enterprise.
Joshua Corman, research director of the enterprise security practice at analyst firm The 451 Group, said the 72-page report yields a “treasure trove” of potential insights that should be carefully interpreted.
A quick read of the data may lead to complacency among larger organizations, which are increasingly facing threats to sensitive corporate data, he said. Though the report noted an “explosion” of breaches involving small businesses, it also found the number of incidents affecting large organizations, or those with 1,000 to 10,000 employees, doubled since last year.
In addition, while payment card data, authentication credentials and personal information represented the majority of data compromised in 2010, five percent, or 41 breaches investigated last year, involved the theft of intellectual property, according to the report.
Corman said this statistic should be particularly startling for large businesses wanting to protect valuable intellectual property.
“We know that IP theft is more serious, rampant and visible,” he said. “Attackers have evolved and care more about your secrets. Don't be distracted that a large number [of breaches] were automated attacks against small merchants. That doesn't make you safe.”