The Verizon DBIR 2012 was released last week and I am sure you have seen a lot of blog posts, articles and tweets on the subject... So let me try and put a different perspective on it: many of you will have heard me say that the DBIR is the “gift that keeps on giving”, and yes, it is! But as with every report, statistics and opinions always have to be put into the right context... The conclusions are not surprising, but there are quite a few little nuggets in the report that are worth examining...
To start with, I am glad to see that the analysis now offers some separate insights in relation to SMEs and larger organisations, as some of the issues can be different depending on size. The case load is also bigger this year (855 incidents compared to 761 in 2010) and known compromised records studied were also greater (3.8 million in 2010 compared to 174 million in 2011 - mostly due to the return of the “mega breaches” in 2011 after a relatively quiet 2010).
Globally, the sectors affected remain the same: Hospitality (Accommodation & Food Services) still leads the pack with a whopping 54% of all breaches in 2011 (compared to 40% in 2010) closely followed by Retail at 20% (compared to 25% in 2010, some improvement there). The picture is slightly different when you start looking at the number of compromised records: 52% for the Information sector closely followed by 45% for Manufacturing, none of which were top of the list in 2010 (Retail & Hospitality at 56% and Financial Services at 35% for 2010). The characteristics of the breaches can be summarised below:
- Threat events: 81% Hacking (99% of records), 69% Malware (95% of records), 10% Physical (<1% records), 7% Social (37% records)
- Threat agents: 98% external (compared to 86% 2010) and 4% internal (compared to 12% 2010), with partners at less than 1% (there are overlaps, which is why this doesn’t add up to 100%). Out of the 98% external agent, 96% do it for the money.
- Assets affected: 51% Servers and 49% User Devices...
I’ve always been slightly uncomfortable with the classification of threat agents (but you have to have a framework and this one’s as good as any...), where for a partner to be classified as a threat agent they must have deliberately caused the breach. The fact that the vulnerable state of an agent in many cases leads to a breach is not captured in the above figures. I was therefore very happy to see later on in the report (page 41) a whole section on cloud computing, titled “Ownership, Hosting and Management” and the figures ring true for me from what I observe in the wild:
- 91% of breaches occurred where assets were owned by the breached entity. (Partner owned was 16% and employee owned only 1%, so BYOD trend not evident in 2011, but maybe this will change in 2012).
- 46% of breaches occurred where assets were managed by a third party.
- 26% of breaches occurred where assets were hosted by a third party.
TRANSLATION: a substantial proportion of data breaches globally occurred where corporate assets were either managed or hosted by third parties.... See my earlier post on the subject.
In addition, when it comes to getting information security investment, it’s always a good idea to have good business metrics that translate into real money (see here). The DBIR deliberately avoids (page 17) dealing with fraudulent activity: when insiders misuse access or information and commit fraud, or where non-financial assets (e.g. trade secrets) are stolen, these activities either go undetected (no tools available) or are not counted (no “unauthorised” disclosure). This is why you need to get close to your fraud colleagues to see that side of the equation...
Another interesting factor in the report is that the sample now includes 36 countries compared to 23 in last year’s report.
REQUEST TO VERIZON: you acknowledge in the 2011 report that “regional differences [...] exist, though they are not as amplified as we tend to think”. ...
I have a funny feeling that they are in fact amplified if you compare and contrast countries that have deployed EMV with countries that have not (especially in the POS space)... May be a regional cut of the stats wouldn’t go amiss give the current size of your sample? I am, of course, happy to help!
This data set consisted of 60 large organisations and the top three sectors affected by breaches were Financial Services (28%), Information (22%) and Retail (12%). For number of records lost >1million, Financial Services represented 40% of all records and Retail 28% and Information 7%. Again, the characteristics of the breaches can be summarised below:
- Threat events: 58% Hacking (99% records), 28% Malware (97% records), 22% Social (38% records), 17% Physical (<1% records)
- Threat agents: 87% external and 5% internal with partners at 3%. Out of the 87% external agent, 71% do it for the money, 25% in disagreement or protest and 23% just for fun or pride.
- Assets affected: 59% Servers, 26% User Devices and 15% People...
Notably, the increased presence of social tactics is due to the fact that large organisation have better perimeter defences, so criminals have to resort to targeting humans.
And here it is right in front of us, the statistical evidence for the 2011 trends as well as some other nuggets from the DBIR:
- Breaches due to social media are here to stay. Education and awareness at all levels of the organisation is crucial (“there is no 100% patch for people...”). We’ve seen a string of criminals targeting small businesses posing as support services for financial services institutions or known software/services providers. Phone, personal contact and email were most prominent with small businesses, whilst larger organisations are mostly targeted via email or phone.
- Breaches as a result of Hacktivism mostly occur in large organisations. Business threat scenario modelling is key. In addition, the major shift that occurred in 2011 is that hacktivists no longer confine themselves to breach of availability/integrity (e.g. defacements, DDoS) as they have shown a definite move towards confidentiality/possession (e.g. pastebin, etc.). In addition, although activist groups represented a small proportion of the 2011 caseload, they stole over 100 million records.
- 81% of breaches and 83% of records stolen were due to default/guessable credentials and generally insufficient authentication.
- 90% of all record loss is associated with attacks that exploit backdoors.
- Web applications remain the 3rd most common vector overall and they were associated with over a third of total data loss. For larger companies, web applications represent 54% of the breaches and 39% of record loss.
- The SQL injection still lives, but I couldn’t come to a definite conclusion in terms of lost records or breaches. The report notes that 8% of breaches within malware (page 26) or 2% (page 27) were due to SQLi (12% for larger organisation), and then 3% and 4% within Hacking (page 21) (small and large organisations respectively). Intuitively, this may mean that the SQLi is reducing in terms of chosen method, but I’d like to understand the data more. I’d like to think that the message is finally getting out there.
- Interesting fact: internal network access and remote access (e.g. VPN) show identical numbers as a vector of misuse (21%), which seems to lead to the conclusion that it is not riskier to work remotely than within the corporate perimeter.
- Another interesting fact: We already ascertained that the assets most at risk were servers closely followed by user devices. Amongst user devices, the top three were POS terminals (35%), Desktops (18%) and ATMs (8%), with laptops way down at 1%. Perhaps surprisingly mobile phones and tablets didn’t feature, but we’ll have to watch the trend in 2012.
- The type of data most compromised is personal information with 95% (overall) and 98% (large businesses) of lost records. Payment card information is still top of the list in terms of breaches (48% overall and 33% for large organisations) but represented only 3% and 1% respectively in terms of lost records. So the PCI DSS is working...
If you'd like some more stats, you may be interested in my analysis of the latest Trustwave report.
I think that’s enough for now...
Until next time...