“2009 Data Breach Investigations Report” was released this week. It is a 52-page study conducted by the Verizon Business Incident Response team describing its work.
Keep in mind, this report is a description of Verizon Business Incident Response engagements. As they did in their 2008 report, the Verizon team emphasizes external attack and services that they sell. It is an unusual report. Verizon does, I believe, a great job describing what their Incident Response practice found last year. I have no reason to doubt any of their data. It presents a picture of great diversity over their 2008 engagements. But the top five breaches included in this report account for 93 percent of total records compromised. (page 34) This made the many of the statistics throughout the rest of the report almost irrationally skewed…
Maybe it would be best to read this paper as an “Annual Report” of the Verizon business unit performing Incident Response services. I believe that would be a difficult stretch to try to turn it into something that has broadly-applicable meaning for the financial services industry, or for the full spectrum of technology-rich Internet-dependent businesses across the globe.
In that context, though, there is still some interesting reading. The report is based on their experience in 150 forensic engagements in 2008. 90 of those were confirmed data breach investigations — so the report data is from those 90 engagements.
These 90 cases resulted in more than 285 million data records breached — exceeding the combined total from all Verizon Business Incident Response engagements from 2004 to 2007.
For their customer base, they reported that “breaches still go undiscovered and uncontained for weeks or months in 75 percent of cases.” (page 38) I work for a geographically-dispersed, diversified financial services corporation, and this finding generates a little catch in my breathing…
Verizon reported that nearly half of their caseload was described as being comprised of different sets of interrelated incidents, and that “quite often” that meant the same individual(s) committed the multiple attacks.
This is a sometimes-dense, 50-some page report, so you would need to fetch a copy and read it to get a sense of the scope of information that Verizon presents. That said, here are some statistics from the report that I found interesting:
Breach Distribution by business sector:31% Retail 30% Financial Services 14% Food and Beverage 6% Manufacturing 6% Business Services 6% Hospitality 3% Technology 4% Other
Industries represented by percent of records breached:93% Financial Services 7% Everyone Else
Targeted attacks accounted for 90% of all compromised records. (page 31)
Compromised database and application servers accounted for 42% of breaches and 94% of breached records. (page 33)
Median number of records compromised per breach:External 37,847 Internal 100,000 Partner 27,000
Compromised data types by percent of breaches / records:Payment Card Data 81% / 98% Personal Information 36% / 1.5% Authentication Credentials 31% / <0.1% Account Numbers 16 / 0.5% Intellectual Property 13% Monetary Assets / Funds 11% Corporate Financial Data 6% Other 11%
Threat categories by percent of breaches / records:Malware % of breach cases: 38% % of records: 90% Hacking % of breach cases: 64% % of records: 94% Misuse % of breach cases: 22% % of records: 2% Deceit % of breach cases: 12% % of records: 6% Physical % of breach cases: 9% % of records: 2% Error % of breach cases: 1% % of records: 0%
Types of hacking by number of breaches / percent of records:Unauthorized Access via Default or Shared Credentials 17 / 53 % SQL Injection 16 / 79% Improperly Constrained or Misconfigured ACLs 9 / 66% Unauthorized Access via Stolen Credentials 7 / 0.1% Authentication Bypass 5 / 0.1% Brute-Force 4 / 7% Privilege Escalation 4 / 0% Exploitation of Session Variables 3 / 0% Buffer Overflow 3 / 0% Cross-Site Scripting 1 / 0%
Attack pathways by number of breaches / percent of records:Remote Access & Mgt. 22 / 27% Web Application 21 / 79% Other Server or Application 7 / 7% Network Devices 6 / 11% End -User Systems 1 / 26% Malware functionality by number of breaches: Key logger or Spyware 17
Backdoor or Command Shell 16
Capture and Store Data 13
Attacks Other Systems 2
Disables Security Controls 2
What is that “1% cross-site scripting” is telling us? Does it really represent reality for our Internet-facing applications? I really have doubts… It must say more about the types of technology and services Verizon sells.
What do you think?
— References —
“2009 Data Breach Investigations Report — A study conducted by the Verizon Business RISK team:” http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf