By Kim Zetter
June 13, 2008
http://blog.wired.com/27bstroke6/2008/06/data-breach-pos.html
A new report examining network data breaches from 500 forensic investigations involving 230 million compromised records has some surprising statistics.
Although it's long been thought that insiders proved to be a greater threat for companies than outsiders, the post mortem study shows that intruders outside an organization (whether they be criminal hackers or others) were the cause of 73 percent of breaches examined in the study. Only 18 percent of breaches were attributed to insiders (although when the culprit was an insider, the consequences of the breach were generally greater, exceeding the size of external breaches by ten to one).
Thirty-nine percent of attacks came from a privileged business partner -- a vendor, supplier, customer or contractor -- and were the fastest growing type, increasing fivefold over the course of the four-year study.
In the case of insider attacks, IT administrators were by far the biggest culprits, accounting for 50 percent of attacks, although in one case involving an insider, external hackers solicited an internal IT administrator to open a back door in his corporation's network to let them in.
The report speculates that the number of insiders involved in the cases might be small because insiders may be more adept at keeping their activities secret -- presumably because they know the system better and know its monitoring weaknesses.
The time it took to conduct an attack ranged from minutes to hours in almost half the cases. By contrast, it generally took organizations months or years to discover the breach. And once they did discover the breach, they were slow to respond. The report attributes this to the fact that most organizations still don't know how to respond to a breach.
In terms of the number of records compromised in attacks, the average breach involved about 1.2 million records. When it comes to median numbers broken down over types of breaches, internal breaches accounted for the greatest number of compromised records -- 375,000 compromised records as opposed to 30,000 for external attacks and 187,500 for trusted partner attacks.
Payment card data was the largest category of compromised records, accounting for 84 percent of the 230 million compromised records. The next largest category was personally identifiable data -- Social Security numbers, birth dates, and other types of data that can be used for identity theft. Intellectual property theft accounted for only 8 percent of compromised records.
In 66 percent of the breaches, the victim organization did not know that sensitive data involved in the breach was even on the computer system from which it was breached.
Some 85 percent of breaches were opportunistic, rather than targeted -- meaning the organization hadn't been specifically singled out for attack -- and in 75 percent of breaches the organization discovered it was breached only because a third party gave them information that made them realize they'd been breached (either someone noticed fraudulent activity with information that was traced back to a breach of the company or a hacker bragged that he had penetrated the organization).
Most significantly, only four percent of breaches were discovered through log analysis or some other systematic network monitoring method, suggesting that despite the fact that many companies have installed intrusion detection systems, few actually read the event logs on a regular basis or have a system for recognizing and acting on what they find in logs.
In at least 62 percent of breaches a significant error or act of omission on the company's part (such as a system misconfiguration or failure to comply with processes or standards) contributed to the breach.
Surprisingly, only about 23 percent of breaches involved the attacker exploiting an application, operating system or service vulnerability. Of the cases involving a known vulnerability, 90 percent of the vulnerabilities had patches available for at least six months prior to the breach, which had not been applied.
Eighty-seven percent of attacks could have been avoided if reasonable security measures had been in place.
The report was compiled by Verizon's Business Risk Team from more than 500 investigations between 2004 and 2007 that its forensic team investigated. The largest number of cases involved retail and food and beverage companies -- the easiest to breach.
Note that numbers in the report summary don't always seem to match numbers in the report itself. This is because the summary report combines numbers in some cases or defines the numbers slightly differently than the report itself defines them.
Download report at - http://blog.wired.com/27bstroke6/files/databreachreport.pdf
No comments:
Post a Comment