The number of financial and confidential records compromised as a result of data breaches in 2010 fell dramatically compared to previous years, a decrease that cybercrime investigators attribute to a sea-change in the motives and tactics used by criminals to steal information. At the same time, organizations of all sizes are dealing with more frequent and smaller breaches than ever before, and most data thefts continue to result from security weaknesses that are relatively unsophisticated and easy to prevent.
These are some of the conclusions drawn from Verizon‘s fourth annual Data Breach Investigations Report. The report measures data breaches based on compromised records, including the theft of Social Security numbers, intellectual property, and credit card numbers, among other things.
It’s important to note at the outset that Verizon’s report only measures loss in terms of records breached. Many businesses hit by cyber crooks last year lost hundreds of thousands of dollars apiece when thieves stole one set of records, such as their online banking credentials.
The data-rich 74-page study is based on information gleaned from Verizon and U.S. Secret Service investigations into about 800 new data compromise incidents since last year’s report (the study also includes an appendix detailing 30 cybercrime cases investigated by the Dutch National High Tech Crime Unit).
Although the report examines the data from more breaches in a single year than ever before (the total Verizon/US Secret Service dataset from all previous years included just over 900 breaches), Verizon found that the total number of breached records fell from 361 million in 2008 to 144 million in 2009 to just 4 million last year.
A good portion of the report is dedicated to positing what might be responsible for this startling decline, but its authors seem unwilling to let the security industry take any credit for it.
“An optimist may interpret these results as a sign that the security industry is WINNING! Sorry, Charlie”, the report says. “While we’d really like that to be the case, one year just isn’t enough time for such a wholesale improvement in security practices necessary to cut data loss so drastically.”
The study suggests a number of possible explanations. For example:
-There were relatively few huge data heists. Those which had been responsible for the majority of the breached records in the past few years were breaches involving tens of millions of stolen credit and debit cards. Those high profile attacks may have achieved fame and fortune for the attackers, but they also attracted a lot of unwanted attention. Many of the past megabreaches ended in the capture and arrest of those responsible, such the case of Albert Gonzales, the former Secret Service informant who was sentenced last year to 20 years in prison for his role in the theft of 130 million credit and debit card numbers from card processing giant Heartland Payment Systems. “Those that wish to stay out of jail may have changed their goals and tactics to stay under the radar,” the report notes. “This could be one of the chief reasons behind the rash of ‘mini breaches’ involving smaller organizations.”
-Megabreaches of years past flooded criminal underground markets with so many stolen card numbers that their value plummeted. Criminals’ attention may have turned to stealing other lower profile data types, such as bank account credentials, personal information and intellectual property. In other words, criminals might opt to let the markets clear before stealing more huge quantities or selling what they already had purloined. “It’s worth noting that a lot of the cards that were stolen over the last few years in these megabreaches probably are going to start expiring soon,” said Bryan Sartin, director of investigative response at Verizon Business. “So we could be in a holding pattern right now.”
Not that thieves aren’t still interested in stealing payment card data, they’re just not doing it in megaheists. Verizon’s results show that the theft of payment card data maintains its predominance across the combined caseload, accounting for 98 percent of records breached and stolen in 78% of all breach incidents. Also, nearly one-third of all breaches examined in the report involved activities that require physical proximity; the majority of those involved ATM and gas pump credit card skimmers, or compromised point-of-sale terminals at retail establishments.
“ATM and gas pump skimming is conducted largely by organized criminal groups and one ‘spree’ can target 50 to 100 different business locations,” the report stated. “These attacks have been occurring for years, but are on the rise in many areas according to both public reports and the caseload of the Secret Service.”
If e-thieves aren’t as inclined to go after the giant data hauls, then whom are they targeting? Readers who are familiar with my coverage of the seemingly incessant online banking account takeovers targeted at small to mid-sized businesses already know the answer: Verizon’s report cites a “virtual explosion in breaches involving smaller organizations,” last year.
“It appears that cybercriminals are currently satisfied with compromising Point of Sale (POS) systems and performing account takeovers and Automated Clearing House (ACH) transaction fraud. There has been an increase in these areas in 2010. In relation to prior years, it appeared that there were more data breaches in 2010, but the compromised data decreased due to the size of the compromised company’s databases. This shows willingness in the cybercriminal underground to go after the smaller, easier targets that provide them with a smaller yet steady stream of compromised data.”
As it has done in previous reports, Verizon continues to downplay the importance of some of the biggest buzzwords driving the security market today, including “cloud security,” “mobile security” and “Advanced Persistent Threat.”
Concerning the recent media attention to security companies warning about the nascent threat from computer crooks targeting mobile devices, the report states:
“While we acknowledge the growth of mobile computing and the increasing attractiveness of the platform to potential threats, we also must acknowledge that again this year we have no representation of smartphones or tablets as the source of a data breach.”
Addressing the security problems raised by moving data “to the cloud”:
“We have yet to see a breach involving a successful attack against the hypervisor. On the other hand, we constantly see breaches involving hosted systems, outsourced management, rogue vendors and even [virtual machines] (though the attack vectors have nothing to do with it being a VM or not). It’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to The Cloud.”
Regarding Advanced Persistent Threats (APTs), Verizon says:
“APTs deserve some special treatment here. Some will remember that we voiced concern in the 2010 DBIR and subsequent blog posts over the APT hysteria sweeping the security community. We still believe that a ‘scope creep’ exists in the definition of APT. The term’s originators use it primarily in reference to state-sponsored attacks from the People’s Republic of China. Others use it to describe any threat possessing above average skill and determination. The logical outcome of the former is to seriously assess and seriously address security posture within government agencies and the defense industrial base (which is right and good). The logical outcome of the latter is to conclude that ‘everyone is a target’ of APT (which is an oxymoron and leads to irrational fears about the boogeyman while common thieves clean you out of house and home). It is simply not possible for everyone to be a target. It is undoubtedly true (based on investigative experience) that some are the target of state-sponsored attacks (originating from China and/or elsewhere). It is also undoubtedly true (also based on experience) that some who think they are victims of APTs are really the victims of organized criminals, hacktivists, glorified script kiddies, and their own mistakes. Because ‘APTs’ (any definition) are real, it’s time we get real about defining and defending against them.”
The Verizon report is chock full of other interesting findings. Here are a few that I found fascinating:
- 50 percent of breaches involved some type of hacking. A whopping 71 percent of attacks in the hacking category were conducted through remote access and desktop services, such as pcAnywhere and RDP. The businesses most commonly hit via insecure remote access and desktop services were in retail and hospitality industries.
- Just five distinct vulnerabilities were exploited across the 381 breaches attributed to hacking. And two of the five were flaws for which there have been patches available for more than two years.
- Only17 percent of breaches last year implicated insiders. Eighty-eight percent of internal breaches involved regular employees or end users. System and network administrators stole far less information than regular employees.