One of the leading annual studies analyzing the causes of data breaches was released earlier today. The 2013 Verizon Data Breach Investigations Report analyzes what is causing data breaches, how the breaches are occurring, who are the hackers and the victims, and what trends can be gleaned from this information. The report has become a “must read” for those in the data security industry and is often cited in board meetings, presentations, and by the media (the NY Times has already published a story about it). Those who do not have time to review the report may want to check out the Executive Summary.
The report studied 621 confirmed data breaches and more than 47,000 security incidents from all over the world. Here is a summary of the most important findings:
- Who is perpetrating the breaches? A large majority (92%) of breaches are perpetrated by outsiders, and one out of every five are attributed to state-affiliated actors (95% of the state-affiliated espionage attacks relied on phishing in some way). When breaches are perpetrated by insiders, more than 50% are a result of former employees taking advantage of their old accounts or backdoors that weren’t disabled, and more than 70% are committed within 30 days of resignation.
- Who are the victims of breaches? Larger organizations are increasingly becoming victims of breaches., and they are not isolated to any particular industry. Manufacturing (33%), transportation (15%), professional (24%), and a variety of other industries (28%) are the targets of espionage attacks.
- What assets are perpetrators targeting? The most vulnerable assets are ATMs (30%), desktop computers (25%), file servers (22%), and laptops (22%).
- How are breaches happening? With respect to cyber breaches, they usually (76%) occur as a result of exploited weak or stolen credentials
- Why are breaches happening? The attackers are primarily seeking financial gain (75%), they are opportunistic (75%), and they prefer intrusions that are low in difficulty (78%).
- How and when are breaches being discovered? 69% of breaches are discovered by an external party (9% are discovered by customers). Perhaps more scary is the fact that 66% of breaches take months or years to discover, which is longer than it has taken to discover breaches in previous years.
The report provides some recommendations for what organizations can do to minimize some of the risks, some of which are commonly accepted best practices. I noticed the emphasis in these recommendations on detection more so than prevention. The report is driven by the (realistic) assumption that organizations are already operating in a compromised environment. While organizations should continue trying to prevent breaches from occurring in the first place, they cannot entirely eliminate them. Therefore, organizations should focus more of their efforts and resources on the detection of intrusions and protection of assets.
Here is a list of recommended practices from the report:
- Eliminate unnecessary data; keep tabs on what’s left
- Ensure essential controls are met; regularly check that they remain so
- Collect, analyze, and share incident data to create a rich data source that can drive security program effectiveness
- Collect, analyze, and share tactical threat intelligence, especially indicators of compromise, that can greatly aid defense and detection
- Without deemphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology
- Regularly measure things like “number of compromised systems” and “mean time to detection” in networks. Use them to drive security practices
- Evaluate the threat landscape to prioritize a treatment strategy. Don’t bury into a one-size-fits-all approach to security
- If you’re a target of espionage, don’t underestimate the tenacity of your adversary. Nor should you underestimate the intelligence and tools at your disposal.
These statistics, findings, and recommended practices should be considered by any organization that collects, uses, stores, and disposes sensitive information. The threats to that information are real, they affect companies in all industries, and they are difficult to prevent. Companies should evaluate and be prepared to respond to these increasing risks by adopting proactive administrative, technical, and physical security safeguards.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.