Incident Response, Network Security, TDR, Vulnerability Management

Internal threats double as attackers shift strategy

While cyberthreats from external sources are still the dominant vector, criminals have begun shifting tactics and  more often are partnering with rogue insiders, according to a report released Wednesday from Verizon Business and the U.S. Secret Service.

As a result, data thieves, mostly going after credit card numbers, are becoming less reliant on software vulnerabilities as an attack vector.

The "2010 Data Breach Investigations Report," which takes into account more than 900 breaches and 900 million compromised records probed by Verizon and the Secret Service last year, found that 69 percent of data-loss incidents were linked to outsiders, while 49 percent were caused by insiders.

But the percentage of breaches attributed to outsiders has dropped nine percent since last year's study, while breaches caused by threats originating from within an organization more than doubled.

Successful cybercriminal prosecutions, such as the 20-year sentence handed down to TJX and Heartland hacker Albert Gonzalez, have signaled to cybercriminals that they need to shift their tactics to better evade law enforcement, Bryan Sartin, director of investigative response at Verizon Business, told

“Organized crime, in general, is looking for a better way in,” Sartin said.

In its own data breach investigation caseload, Verizon Business noted an increase in cases involving “insider collusion,” by which external cybercriminals partner with insiders who agree to participate in the attack, Sartin said. Often in these types of attacks, a disgruntled insider with access to sensitive information will act as an enabler by providing outside cybercriminals with corporate account information, such as authentication credentials. In the end, there often is no way to pin the crime on the external perpetrator so the insider winds up taking the fall and never even gets paid, the report found.

Overall, 48 percent of all breaches in 2009 were attributed to users who abused their rights to access corporate information for malicious purposes. In addition, 90 percent of insider threat cases resulted from deliberate malicious activity, while just six percent each were caused by unintentional activity or inappropriate conduct.

A majority of internal breaches were caused by regular employees, as opposed to accounting personnel, system administrators or upper management, who traditionally have more access rights to sensitive data.

Fifty-one percent of insider threat cases involved regular employees or end-users, while 12 percent involved both accounting staff and system administrators. Upper management caused seven percent of insider incidents.

“In general, we find that employees are granted more privileges than they need to perform their job duties, and the activities of those that do require higher privileges are usually not monitored in any real way,” the report states.

Meanwhile, the use of stolen credentials and SQL injection were the two primary hacking techniques responsible for breaches and stolen records in 2009, the report states.

Surprisingly, there was not a single confirmed hacking intrusion that involved the exploitation of a patchable software or system vulnerability, Sartin said.

This indicates that security programs, which often focus on vulnerability management, may not be as efficient and effective as they could be, the report states.

For instance, organizations generally spend a great deal of effort testing and deploying patches, but many have left their log files unchecked for months. In 87 percent of breaches, victims had evidence of the intrusion in their log files, yet missed it.

The report recommends that patching strategies should focus on coverage and consistency rather than speed, and any freed-up resources be put toward code review and configuration management.

On a positive note, there was a significant drop in the overall number of breaches last year compared to the previous year's total, the report states.

This decline may be attributed to the fact that monster breaches in previous years have flooded the criminal market with stolen financial credentials and substantially driven down their value. Instead of financial data, authentication credentials are now favored on the black market, Sartin said.

Another possible reason for the decline could be law enforcement's effectiveness in catching cybercriminals, such as Gonzalez, Sartin added.

The report also found that cybercriminals are making greater use of social engineering tactics and most data theft was caused by organized criminal groups.

The report represents a first-of-its-kind collaboration, in which the U.S. Secret Service partnered with Verizon Business to combine caseloads and deliver a more comprehensive picture of data breaches.

“The Secret Service believes that building trusted partnerships between all levels of law enforcement, the private sector and academia is the right model for facing the challenges of securing cyberspace,” Michael Merritt, assistant director of the office of investigations at the Secret Service, said in a statement. “It is through such vast and established partnerships that the Secret Service is able to help expand the collective understanding of breaches and continue to augment our advanced detection and prevention efforts.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.