Verizon Business 2008 Data Breach Investigations Report
This is an excellent report culled from over four years and 500 forensic investigations performed by the Verizon Business RISK team.
There are some very interesting statistics presented in this report that may be very eye-opening to many (italicized comments added by me):
Who is behind data breaches?
73% resulted from external sources <– So much for "insider risk trumps all"
18% were caused by insiders
39% implicated business partners
30% involved multiple partiesHow do breaches occur?
62% were attributed to a significant error <– Change control is as important as
59% resulted from hacking and intrusions <– compensating controls
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threatsWhat commonalities exist?
66% involved data the victim did not know was on the system <– Know thy data/where it is!
75% of breaches were not discovered by the victim <– Manage and monitor!
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls <– So why aren’t they used?
Very, very interesting…
You can get the report free of charge here.
/Hoff
*Update: I’ve read quite a few bristling reviews of this document. Some claim it doesn’t go far enough to describe how VzB collected and sampled the data and from whom. Others suggest it’s FUD and obviously just meant to generate business for VzB.
It’s true we don’t know who the customers were. We don’t necessarily know which segments of industry they came from or how big/small they were. It’s not authored by a disinterested party. Got it.
I guarantee that some of people who are amongst those being critical of the report will bitch about it and then use this data just like they have the FBI/CERT data over the years…
Take the report on face value and map it against others to see how it lines up.
This is not the definitive work on breaches, for sure, but it’s an interesting and useful data point to consider when exploring trending as well as for use in strategic planning in assessing your security program and preparing for an inevitable breach.
IT is still it's own worst enemy
Your comment of "so much for insider risk trumps all" is misleading. If you read the blog post from the Verizon Business Security Blog it states:
"While criminals more often came from external sources, and insider attacks result in the greatest losses, criminals at, or via partner connections actually represent the greatest risk. This is due to our risk equation: Threat X Impact = Risk
* External criminals pose the greatest threat (73%), but achieve the least impact (30,000 compromised records), resulting in a Psuedo Risk Score of 21,900
* Insiders pose the least threat (18%), and achieve the greatest impact (375,000 compromised records), resulting in a Pseudo Risk Score of 67,500
* Partners are middle in both (73 39% and 187,500), resulting in a Pseudo Risk Score of 73,125"
[Source: http://securityblog.verizonbusiness.com/2008/06/1… ]
This data is located in a table on page 11 of the report which states: "Thus, a 'back of the napkin' calculation of risk (likelihood x impact) finds that partners represent the greatest risk for data compromise, followed closely by insiders."
Although excellent reports like this gives us insight into breaches that are found, one wonders the number of additional breaches that are NEVER detected.
Great post. The monitoring part is often overlooked. I saw an article the other day in Computerworld, that discussed a mult-billion dollar insider incident at Société Générale.
One of the things they mentioned was that IT management had implemented all of the controls recommended by auditors, but nobody was monitoring them.
It's not the technical controls in most cases – it's people/process shortfalls that will get you.
@randy:
You're right, it was misleading and I didn't mean it to be. What I meant to suggest is that the greatest SOURCE is external, not necessarily the greatest risk. This was a knock on studies like the ol' FBI/CERT study that year-over-year suggested that insider attack was more "prevalent" than external.
I should go back and re-read the FBI/CERT study and check the wording.
/Hoff
To expand on what Rob said: All this being said, and as good a read as it is, don't forget it is documenting only 500 incidents they knew of in a period of 4 years (an eternity for those of us in technology). I wouldn't consider these 500 to be all incidents. Not to mention threats evolve in 6 months, let alone 4 years. Heck, even Symantec's report is based only on stuff they see. Fun read, though.
These are breaches that they did forensics on, IIRC. They may or (as I suspect) may not represent all breaches. Would a business need forensics experts to figure out that an unencrypted backup tape they sent via courier never showed up, for example? When you consider that the majority of exposed records [that we know about…] are exposed via lost or stolen media or gear…
All good points guys, but from the perspective of a controlled sample, I think the report certainly has value. It certainly does not represent all breaches, but what it *does* do is smooth the curve over four years with a level of insight and taxonomy I found very useful.
I suppose I should not have generalized, but when in Rome… 😉
/Hoff
I am enthusiastic about the richness of detail as well — don't get me wrong. I would like to see way more of this.
I think one of the most understated implications is related to virtualization security. If most of the threats are from the outside against targets not known by the security team (perceived as safe or inaccessible) then what happens when you bring in the hypervisor layer (more hidden changes/mutation), which adds more change and less visibility for perimeter appliances?
Amrit- you have a point about insiders doing great damage… but I think the real point has to do with cost/benefit when it comes to security. IMHO insider betrayal is a very old phenomenon that will never go away. Creating the perfectly safe network impervious to insider damage by way of a powerful, super smart network appliance seems to be a Quixote Windmill fraught with new levels of "brick and mortar" restrictions and limitations. Maybe that is what Bruce is up to in his new collaboration with the social sciences. Maybe convenience isn't a good thing?
At the end of the day I would supplement the equation with a factor identifying the likelihood of solving the problem and the expense of addressing. That way netsec focuses on achievable tasks based on business case versus theoretical, abstract exercises.
Who knows, maybe some of these insider events were predictable or avoidable (with some unobtrusive solutions in place), but my instinct is that insider risks are better dealt with within the legal system.
@Sam,
My gut instinct is that there is a larger percentage of inside violations of policy (eg. printing out extra hard copy or copying to portable device) that are never detected than the percentage of externally sourced attacks that are never found.
Excellent points at th end – Some colleagues of mine are on the cusp of releasing some research done on the analysis and vetting of breach data sources. Stay tuned!
@Amrit, for years and years and years and (did I say years) my inbox got clutter with marketing/press pitches that included the phrase, or close variants, of "and it's widely known that 80 percent of attacks are from insiders."
Never a mention of magnitude. Never a qualification.
While that may have been widely known, it was also widely wrong.
And for what it's worth, this is probably based largely on TruSecure's reports — which were good in their time.
@George:
That's exactly what I was referring to with my "FBI/CERT" reference…It's the same nonsense that gets regurgitated over and over like where that tart said that Cybercrime was bigger than the drug trade…