31 March 2013


It’s that time of year again where we try to make sense of all the new research and statistics. Today, I give you the Trustwave 2013 Global Security Report which analyses 400 data breach investigations (compared to 300 in 2011) across 29 countries (compared to 18 in 2011). Unsurprisingly, 96% of the breaches involved the theft of customer records (payment card data, PII, email addresses), compared to 89% in 2011. Closer to home, this is confirmed by the CIFAS Fraudscape report published in March 2013, where, whilst total fraud in the UK only showed a 5% increase since 2011, abuse of identity fraud increased by a whopping 17.1%, correlating to the Trustwave report showing that out off all client-side attacks observed, 61% targeted Adobe Reader users via malicious PDFs, clearly pointing to social engineering.

Trend alert...

In 2012, 78% of the case load (from 85.3% in 2011) originated from the Food & Beverage, Retail and Hospitality industries (see last year’s report), with notable increases in Financial Services and Not For Profit organisations (other):

Percentage of breaches per sector – Trustwave GSR 2013
Over the past few years, Food & Beverage and Retail have been almost interchangeable due to the similarity of their infrastructure, but it is good to note the overall reduction from 77.3% in 2011 to 69% in 2012 for both sectors. We are possibly starting to see better practices (better POS security architecture and encryption) in these industries, but criminals continue to focus on these due to the sheer volume of cards and PII they hold. This correlates to a significant rise in automation and persistency of attacks with targeted malware, specifically generic memory scraping which accounted for 49% of all cases for which the associated malware had identifiable data collection functionality (and that is also the whole point of the law suit Genesco filed against Visa). Also interestingly, in the cases where memory dumpers/ key loggers were used, malware operated undetected for an average of 18 months. Increased awareness of the need to secure stored information has also meant that 60% of data harvesting methods are aimed at data in transit.

New for 2012 is the increase in mobile malware with a huge 400%. However, very few of the Trustwave forensic samples involved mobile devices which points to a lack of visibility of mobile devices within organisations. Trustwave also list their top 10 mobile vulnerabilities, which I guess will further inform the proposed OWASP mobile top 10 currently in development.
Note: whilst in 2011 more than one-third of breached entities in Food and Beverage, Retail and Hospitality targeted businesses operating franchise models, the 2012 report case load doesn’t give any indication as to the evolution of this trend.

Who, me?... Or the case for incident response

In 2012, 76% of organisations were notified of breaches by external entities (Regulatory, Law Enforcement, Third Party, Public) compared to 84% in 2011:

Breach Detection - Trustwave GSR 2013
So does this mean that we’re getting better at incident response? Well, I think so on two counts:

Firstly, the March 2012 Symantec sponsored Ponemon Cost of a Data Breach Study (UK) seems to think so by highlighting that whilst the cost per compromised record increased from £71 in 2010 to £79 in 2011, the organisational costs decreased by 8% from £1.9M to £1.75M per breach suggesting that organisations have improved their performance in both preparing for and responding to a data breach (and the findings revealed that fewer records were being lost, with less customer churn). Other studies have found that the cost of a data breach is increasing, and this is perhaps symptomatic of the fact that attacks are now far more targeted. So while self-detection is improving, those that remain blissfully unaware (see earlier post) are facing higher costs to the increased sophistication of attack delivery and targetting. Criminals continue to automate the process of finding victims (through the identification of basic vulnerabilities) and extracting valuable data which lowers the cost of performing attacks, which in turn lowers the minimum yield for a victim to be of interest.

Secondly, whilst the average time from initial breach to detection was 7 months in 2012, the timeline from intrusion to containment has improved significantly over the previous year, with the majority of breaches being detected within 1 year, with 9% detected within 1 month (and even 5% within 10 days) as the chart below suggests:
Timeline of Intrusion to Containment - Trustwave GSR 2013
There are a few more goodies in the Trustwave GSR for this year, including email, passwords, third parties and some international perspectives, but I will leave that for the second part of this post.

Until next time...