How and Wow: Verizon’s Tactical Survey of Global Data Breaches
The Verizon 2013 Data Breach Investigations Report is the sixth annual survey of data security incidents by the American telecommunications giant. Based on data provided by international law enforcement, research institutions and private forensic, investigatory and response companies, the Verizon RISK team (RISK stands for Researching, Investigating, Solutions, Knowledge) has analyzed over 47,000 data security incidents, including 621 confirmed data breaches. The data were drawn from victims in 27 different countries (Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Denmark, Dominican Republic, France, Germany, Hong Kong SAR, India, Ireland, Israel, Japan, Luxembourg, Malaysia, Mexico, Netherlands, Puerto Rico (U.S.Terr.), South Africa, Spain, Sweden, Thailand, United Arab Emirates, United Kingdom, United States of America).
The Report profiles each industry sector: it indicates the data at risk, predicts the actors interested in that data, and the threat actions taken.
Peppered by colorful language about miscreants, bandits, activists and international intrigue, the Report is really about providing useful quantification and perspective. The who, what, why and how of data breaches reveal general trends and commonalities – discussed as threat vectors by the Team – that can be harnessed to improve best practices.
“Many organizations devote a disproportionate amount of time and money to detection methods that fall below the 1% mark.” (Exec. Summ., Fig. 6 at p.9)
Notably, nearly all perpetrators are outsiders; financial gain is the most prominent motive; underlying motive correlates highly with country of origin of attacks; access weaknesses are high and unjustifiable; and breaches are not being self-detected or with much alacrity.
Two-thirds of breaches took months – or even years – to discover.
With this knowledge of the breadth and direction of global data breaches in hand, companies can immediately address the trending weaknesses highlighted in the Report.
Data Breach Targets
The Report confirms that all organizations, public and private, large through small, are susceptible to data attacks. The sector analysis shows that the targets of 2012 data incidents were 37% financial organizations; 24% retail and restaurants, 20% manufacturing, transportation and utilities; and 20% information and professional firms. Finance is highly susceptible to physical campaigns (ATM skimming), but Retail leads the number of network intrusions. All sizes of organizations were affected: 38% of breached organizations were large (1,000 or more employees). Small companies are just as vulnerable to espionage campaigns as multi-national corporations (see Figure 5 at p. 15 of the Report).
There is a correlation between industry sector and methods of attack that pivots on the desired data. Hence, companies with more intellectual property assets are the targets for cyber espionage, whereas the retail and food services industries are targets for pecuniary theft but not espionage.
An overwhelming 92% of breaches were perpetrated by outside actors. (However, it is noted that there may be some reporting bias.) Organizations with more employees did not see more significant insider-instigated breaches. Internal actors were mostly motivated by financial gain.
Pay attention to your customers, cashiers and customer service reps!
External actors are as expected: over half of all external breaches stemmed from organized crime. For the first time, the second greatest source of threat is state-affiliated action. This is possibly attributable to various causes: an actual increase in political espionage; or, a relative decrease in financially-driven attacks on smaller organizations; or, this year’s wider data set; or, the enhanced international practices of information sharing such as the highly publicized Mandiant Report on China’s Cyberwar Army Unit.
The Report finds a “fascinatingly apparent” correlation between the motive for and the country of origin of an attack (ascertained in over 75% of the breaches). The majority of attacks for financial gain stemmed from organized crime out of the United States or Eastern Europe (In particular, Romania, Bulgaria and the Russian Federation.). These profiteers target laptops, desktops, and file, mail or directory servers. Nearly all (96%) espionage cases came out of China. Western Europeans and North Americans have a predilection for hacktivism, attacking web applications, databases and mail servers. The data were clear enough to allow the Report to profile external threat actors in some compelling tables.
Data breaches threats are not all that sophisticated for most sectors under attack.
The profiling extends to the underlying motivations for data attacks. Internal threat actors were responsible for 14% of the data breaches and were mostly deliberate, malicious and for financial gain. The most prolific actors are not high-level administrators but cashiers, waiters and others working directly in the payment chain. Responsible for 40% of overall insider breaches, and 60% of small-organization insider breaches, these employees both initiate and are solicited to skim payment cards and steal customer account data. Where administrators were implicated, their actions were inadvertent in 8 out of 13 cases – definitely a target area for improvement here. Managerial and executive employees exiting an organization were prone to taking proprietary information with them – again, an easy area to improve policies. Over 70% of IP theft by insiders occurred within 30 days of an announcement of resignation.
Some of the findings upend popular assumptions about targeted assets. Computing may be the realm of the technically agile, but a great number of data breaches are not sophisticated by nature. Outside of ATMs, traditional hardware such as laptops, desktops and servers are still the most significant source of vulnerability. 41% of the incidents of misuse are due to unapproved hardware. Despite vocal concerns about third party applications and cloud computing, the action on the ground still centers on that darn lost laptop.
As for the vulnerability of data in transit – there were no such incidents. Two-thirds of the breaches involved data that was passively stored in databases and on file servers (“data at rest”); the other third affected data as it was being processed. 71% of intrusions targeted user devices (an over 10% increase from 2011) and 54% compromised servers (an over 10% decrease from 2011).
Half of breaches involved some form of hacking and 40% involved malware. Of the hacking exploits, 80% were authentication-based attacks, leading one to wonder why single-factor passwords are still in use.
Victims of cyber espionage can make a difference by focusing on social engineering campaigns.
Many threats use several means of attack, such as the malicious email attachments that opened the way for nearly half of malware attacks. Physical ATM skimming and social engineering are on the rise. Social tactics saw a fourfold rise in related breaches and are increasingly popular for espionage attacks. Because successful targeted social engineering can bypass an entire corporate security system, the Report recommends that corporations consider extending their IT security “into the living rooms of their CEOs.” (Report at p. 59) Systemic weaknesses are implicated when you see that 76% of network intrusions are attributable to weak or stolen credentials.
“In a streak that remains unbroken, direct installation of malware by an attacker who has gained access to a system is again the most common vector. And that makes sense; once you own the system, it’ll need some fancy accessories.” (Report at p. 29)
Small retailers and restaurants should look to improve their basic IT for point of sales systems because they are mostly attacked through weaknesses in remote administration services. Financial services faced an onslaught of ATM skimming campaigns bolstered by web application attacks. For manufacturing, engineering, consulting and IT service firms, more breaches stem from targeted social attacks that open the way for the installation of multi-functional malware on internal systems. Notably, three-quarters of breaches were accomplished through threat actions that the Verizon team rated as low or very low difficulty (78% of initial actions; 73% of subsequent actions. See Figures 39 & 40)
This is attributed to the broad nets cast by financially-motivated threat actors looking for easy targets, compared to acts of espionage which are moderately difficult to execute.
The detection situation is not improving. Over 56% of breaches were not detected for over one month. 66% of intrusions were not discovered for months. In particular, internal detection is low: 69% of breaches were detected by external parties, most of which were end users. (This is an improvement over the previous year’s figure of 92% detection by external parties, but no different than the detection range of the past few years.) Over 50% of breaches were discovered by end users; 26% by unrelated parties, including a worrying 9% discovered by customers themselves. This is a sign that companies should take user complaints about system performance more seriously. Leveraging third parties as fraud detectors can especially be a boon to smaller companies.
End users and other external actors are detecting data breaches more than internal and IT players.
All organizations can look to improve and support the “detection capability” of their existing human resources – from training bank employees to recognize skimmers to bolstering customer services representatives to inspiring cashiers to resist and report social engineering. Within internal detection, 46% of the discoveries were made by customer service representatives. In fact, the Report suggests that an organization’s people can be readily transformed from the “weakest link” to its “greatest asset.”
The Report concludes with solid suggestions for all companies:
→ Eliminate unnecessary data; keep tabs on what’s left.
→ Perform regular checks to ensure that essential controls are met.
→ Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.
→ Collect, analyze and share tactical threat intelligence, especially indicators of compromise (“IOC’s”), that can greatly assist defense and detection.
→ Your problem is specific; address it specifically. This means that you don’t have to throw the entire toolkit at a defined problem.
→ Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology.
→ Regularly measure things like “number of compromised systems” and “mean time to detection”, and use these numbers to drive better practices.
→ Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security.
→ Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of the intelligence and tools at your disposal.
Read More at:
Verizon Enterprise: 2013 Data Breach Investigations Report
Information Law Group: 2013 Verizon Data Breach Report is Out – Risks Increase
Data Security Law Journal: Data Breaches – Who is Causing Them, How, and What Can Companies Do About It?
Annie C. BAI