Breach Prevention Tips From VerizonBasic Threat Defenses Are Often Overlooked
See Also: The Global State of Online Digital Trust
For small organizations, it's pretty simple. "Change passwords to something complex and implement some sort of firewall or access control list to protect remote access from the Internet," Porter says.
For larger organizations, developing a well-rounded information security program that measures security over time, should be a priority. "Hacktivist groups are targeting Web applications quite often, so you want to target your control implementations in and around protecting those applications," Porter says.
Other strategies for preventing data breaches larger organizations should implement include conducting penetration tests, protecting authentication mechanisms and putting controls in place for timeouts of failed logins.
"A lot of these are pretty basic," Porter says in an interview with Information Security Media Group's Tracy Kitten (transcript below). "It's really about doing simple things and then verifying that those simple things are done."
In its recently published Data Breach Investigations Report, which studied 855 breaches from 2011, Verizon identified hacktivism and lax security practices as the primary risk factors contributing to organizations' vulnerabilities.
During this interview, Porter discusses:
- Why organizations continue to get breached, despite increased investments in new technology;
- How breach prevention and notification varies from one industry to another; and
- Why more collaboration with law enforcement and industry experts will help organizations thwart cyberattacks now and in the future.
Porter is a principal of Verizon's RISK Team.
2012 Data Breach Investigations Report
TRACY KITTEN: The 2012 Data Breach Investigations Report includes in-depth analysis of more than 850 international data breach cases, and some year-over-year comparisons. What can you tell us about the survey and some of its general findings?
CHRIS PORTER: I'm not sure how familiar folks are with the Data Breach series, but I thought I would go over a couple of things about it. This is an ongoing study of our forensics investigations into data breaches. Our report, and all the reports that we've done previously, only include cases of confirmed data compromise. This isn't survey data about data breaches, but these are based on actual investigations that were either done by our forensic investigation team or some of our partners that I will talk about here in a moment. This is our fifth annual report, not including some of the supplemental reports that we've done, and this series spans eight years' worth of data breach incident information.
This year, we're joined again by the United States Secret Service, as well as the Dutch High Tech Crime Unit. But we've also added three new participants: We have the Australian Federal Police, the Irish Reporting and Information Security Service, or IRISS, as well as the Police Central e-crime Unit, or PCEU, of the London Metropolitan Police.
As you mentioned earlier, the study this year covers 855 breaches that were investigated in 2011. That's our highest ever by far for any single year. In 2009, the combined Secret Service and Verizon caseload had around 141. Then, in 2010, the combined Verizon, Secret Service and the Dutch High Tech Crime Unit data set had around 761. Also this year, 174 million records were compromised across these breaches. The mega breach is back. We had several of those breaches that were in the millions of records. For this data set, in particular, it was the second-highest count so far. 2007 had around 171 million. Then the high point of our study has been 2008, which was around 360 million records.
One thing that we did that was a little bit different in this year's report is that we sliced the data in different ways to compare and contrast the overall data set to large organizations. We've had a lot of people talk about how large organizations would look at the report and see that the data was so skewed toward small businesses that it wasn't as relevant to them. We wanted to make sure that we had some data that spoke directly to larger organizations, so that they had better information to make decisions.
Why the increase in the number of incidents? I think that obviously there were more contributors this year, so therefore there were also more incidents. But there were also other data sources that we looked at this year that showed this increase in the number of data breach incidents. If you look at DataLossDB or the Identity Theft Resource Center, those also showed an increase in the number of breaches. We still saw a continued trend from last year of industrialized-style attacks against small businesses conducted by organized criminals. These are typically targeting those small-order but more numerous victims, and then of course as you mentioned in your introduction this rise of hacktivism. This was something that was extremely fascinating to us, that although hacktivist groups accounted for just 2 percent of the overall data set, they accounted for around 58 percent of the records that were compromised this past year, which we found completely fascinating. Hacktivists were able to compromise more data than organized crime.
Collecting Breach Data
KITTEN: How's information about these 850 data breaches mentioned in the report collected? It wasn't all just from law enforcement, right?
PORTER: Correct. One of the sources - and one that was historically the only source that has been part of our annual breach report series - has been incidents that our own investigative response team investigated. This is where an organization finds out that they had a data breach or they discovered they had a data breach themselves, and so they call in a forensics firm to do the investigation to find out what the root cause of that investigation was. We created a couple of years ago a framework for analyzing incidents. We call it VERIS, the Verizon Enterprise Risk and Incident Sharing framework. What we do is we take all the cases that our investigative response team goes through and investigates and we put it through the lens of VERIS and take that incident narrative and translate it into specific metrics about the case. So as you go through and look at the report, you see that there are agents who commit actions against assets with an organization and affect those assets in some sort of way. That sort of A4 model is very strong, and that's the kind of metrics that we're pulling out of each report.
When it comes to law enforcement, it works a little bit differently. Obviously, they're collecting information about their own cases. The Secret Service, for instance, created a tool that uses the VERIS framework, and so they go through each of their cases and create the metrics themselves and then send them over to us for analysis.
The other law enforcement partners that we had, some of that was done through interviews; some of it was done through metrics that they created via the framework and then just passed those along to us. All-in-all, what's interesting is that they're all using the same framework, using VERIS to collect this data. It's the same language so when we say it's an external agent in our data set, the definition of external agent is the same across each of these different data sets and they know exactly what they mean.
Increase in Breaches
KITTEN: I wanted to ask about Verizon's review of these annual data breaches and you mentioned earlier that Verizon has been reviewing these breaches since 2004. Of course, 2011 reflected the second highest number of data compromises. You've talked a little bit about the increase in seeing this across the board among other organizations and institutions that are tracking data breaches, but why do you think that we're seeing an increase?
PORTER: I think it's a couple different reasons. For instance, there are more and more companies that are still moving from brick-and-mortar to an online presence. Sometimes they're not doing this in the best manner possible, so they're not necessarily taking security in mind when they're doing this. They're just saying, "I need to change my business in some way. I can't continue doing business the way I've always done it. I need more customers and the Internet provides that method for gaining more customers." You get on the Internet and you become a global company immediately because anybody can buy something from you. I think that has a lot to do with it, this movement of organizations to continually move toward an online presence and an e-commerce presence.
I also think that attackers are kind of innovating some of their attack processes. We talked earlier in last year's report about this industrialization of attack styles from organized crime, and it's something that they have begun automating into it. I can kind of talk about that a little bit. They're looking for specific remote access services that are available and are Internet-facing. They try default credentials, and if they find them, then the tool will automatically install malware. Typically, it's a key logger and the key logger can be preconfigured to automatically collect data and then send that data out and back to the attacker, either through uploading it to a website or putting it out on an FTP server or even e-mailing it to a specific e-mail account. At that point, the attackers can aggregate the data and they put it on the black market and sell it, or they can turn it over to another part of their organization for converting it into some type of cash. This particular type of style is increasing. It's intensified from last year, so I think that's behind some of the increase in the number of attacks.
Attacks from Eastern Europe
KITTEN: One thing that I thought was interesting was that the report noted that nearly 70 percent of the breaches originated in Eastern Europe, with less than 25 percent originating in North America. Why's Eastern Europe a haven for cybercrime?
PORTER: Great question. There could be several reasons behind it. One might be the legal framework in and around some Eastern European countries. Another reason - and I think this is something that's getting better - is just the relationships with law enforcement in those areas. I think the Secret Service, along with the FBI in the United States and other law enforcement agencies across the world, is developing better relationships with other law enforcement groups within Eastern Europe, and I think we will see that change over the years as these legal frameworks mature, as long as these relationships become better.
KITTEN: How can organizations work more closely with international law enforcement to curb some of these attacks from Eastern Europe, and it sounds like maybe just better reporting and collaboration?
PORTER: Absolutely. I think certainly the collaboration part is very important. I think any time there's data sharing involved, it's really more about the relationships between different investigators and even relationships between different companies and those law enforcement organizations.
KITTEN: As I noted in the beginning of our interview, this year Verizon notes a striking rise in hacktivist attacks. Why did these types of cyberattacks stand out to your researchers?
PORTER: Hacktivist groups have been around for a long time. Typically what we've seen though when they're protesting an organization is they may deface websites or they may launch some sort of denial-of-service attack against an organization, but what certainly has changed is the concept of breaking into an organization and stealing data, and then taking that data and publishing it to the world. They're trying to grab anything and everything they can get their hands on, so e-mails within the organization, past password lists that they hope to crack, as well as other organizational data. We found it very interesting that based on the data from our case load, as well as those of our law enforcement partners, we're able to tie actual data to some of those things that we saw this past year.
KITTEN: Are the cybercriminals, whether they're waging the attacks for social or political reasons or whether they're waging these attacks for financial gain, are they continuing to use the same modes of systems compromised?
PORTER: Very interesting. One of the things that we tried to compare and contrast is the attack methodologies that hacktivists use compared to organized crime. ... Organized crime, for instance, when they get inside an organization, they want to be stealthy and they want to stay there as long as they can; because the longer they are there, the more data they can collect, and that means the more data that they can turn into cash. For hacktivist groups, they're trying to get in and get as much as they can and as fast as possible. They're not necessarily trying to maintain that persistent access. They're not usually coming back month after month, year after year, to grab this information. Back doors aren't as predominant within hacktivist attacks, which was quite interesting.
I think it has a lot to do with the targeting of the victims of each of these sorts of things. Organized crime is directed at many more small businesses, small businesses that typically don't have a very protected perimeter, especially in controlling access to remote-access services. Large organizations do a much better job of that. They protect those remote-access services. Remote desktop typically isn't available for the entire Internet to access. Typically, it's hacktivist groups that have gone through Web applications more because, obviously, Web applications are used by large organizations to do business on the Internet and report with customers and that sort of thing. So it's not that one is less protected than another; it's just one of the only vectors that would be available to a hacktivist group to even try to attack. It was very interesting to see the differences between the two styles of attacks.
Top Tips for Security Teams
KITTEN: Based on the findings, what recommendations would you offer security teams and fraud-prevention departments?
PORTER: It depends on if it's a large business or a small business. In our report, we've got a special section for small businesses that gives [them] some very simple steps to train themselves against data breaches. Pretty simple: Change passwords to something complex and implement some sort of firewall or access-control list to protect that remote access from the Internet. For a large organization, obviously, you want a well-rounded information security program, something that's not just a point-in-time assessment, but a true program that measures things over time. For instance, hacktivist groups are targeting Web applications quite often, so you want to target your control implementations in and around protecting those Web applications; penetration tests, for instance, to identify vulnerabilities that involve remote files or SQL injection; protecting authentication mechanisms; putting clipping levels in place so that there are timeouts for failed logins. A lot of these things are pretty basic. It's really about doing simple things and then verifying that those simple things are done.
KITTEN: Before we close, do you see the need for different sectors, such as healthcare and financial, for instance, to pursue different security modes or techniques for risk mitigation?
PORTER: When we take this data - and this is available in the report - we have the ability to do this where we slice the data and look at the different attacks that are affecting healthcare organizations or affecting financial organizations. In looking at the specific types of assets that are attacking each of these different styles of practice, as well as who's behind the attacks, we find that they're very different. The financial organizations have been heavily regulated over the years, so they've got a certain security baseline behind their systems, and it keeps them from being the low-hanging fruit, at least when compared to small businesses. Then healthcare, they have a different set of threats, different types of data that they're trying to protect. There are definitely different strategies that can be employed to protect them and protect against those specific types of threats, and controls they can put in place for those.