The 2012 Verizon Data Breach Investigations Report is out. I’d love a clarification though; what percentage of “outsider” attacks involved social engineering (including spear phishing)?
Verizon security report:
Hacktivism up, insider threats down
By InfoWorld Tech Watch
Created 2012-03-22 03:00AM
Over 855 data breaches resulting in the compromise of more than 174 million records around the world provided rich source material for the 2012 Verizon Data Breach Investigations Report, a highly respected analysis that includes data from the U.S. Secret Service, four other investigative agencies, and the telecom giant’s own vast trove of information.
The biggest change, unsurprisingly, was the 58 percent rise in stolen records attributed to hacktivism. The Anonymous hacker group surely accounted for a sizable percentage of this activity, although the report doesn’t break that out. Clearly it has become socially acceptable in some circles to publicly announce a high-profile target and recruit a mob of volunteers.
Hacktivism probably contributed to the report’s finding that 98 percent of all attacks were committed by outsiders. Nearly 70 percent of breaches originated in Eastern Europe, which dispels the notion of Chinese dominance (at least this year). Less than 25 percent of attacks originated from the United States. Anecdotally, even some of the biggest U.S. cyber arrests included Eastern European players located in the United States.
The best news in the report is that the percentage of internal attackers has diminished significantly over the last few years, making up only 4 percent of last year’s attacks, down from a high of 48 percent in 2009. Less than 1 percent of breaches resulted from hacks by business partners.
Accounting for 10 percent of all breached records, physical attacks continue to be a factor, from card skimming to stolen storage devices and other physical tampering. Although card skimming was down slightly, skimming combined with ATM PIN camera recording accounted for 35 percent of physical attacks, which is more than double the incidents from the previous year.
The elephant in the room remains the same: The report estimates that 97 percent of data breaches could have been avoided if simple security measures were in place. Worse, 96 percent of victims that were required to comply with PCI DSS guidelines — security measures stipulated by the credit card industry — were not compliant at the time of the breach.
In almost every case, if the victims had applied normal countermeasures the data breaches probably wouldn’t have occurred. No victims are named in the report, but two of the biggest breaches in 2011 — involving Sony and RSA and resulting in the exposure of tens of millions of records — were due to unpatched software. The report again affirms that specialized antihacking tools and software are not needed. What’s needed is more consistent application of the basics.
Worse, 85 percent of victims were unaware of the compromise for weeks to months. And when they discovered the breach, 92 percent learned about it from a third party. You can be sure that event log monitoring vendors will include Verizon’s data in their ad campaigns.
A must-read for most C-level officers, the Verizon Data Breach Investigations Report has provided an invaluable public service for five years. Yet, by and large, the underlying vulnerabilities have stayed the same. Do something about them, and don’t let your company become next year’s statistic.