2010 Data Breach Report From Verizon Business, U.S. Secret Service Offers New Cybercrime Insights

BASKING RIDGE, N.J., July 28. The 2010 Verizon Data Breach Investigations Report, based on a first-of-its kind collaboration with the U.S. Secret Service, has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups. The study, released Wednesday (July 28), also noted that the overall number of breaches investigated last year declined from the total for the previous year - "a promising" indication, the study said.

The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations. Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said.

Verizon Business investigative experts found, as they did in the company's prior data breach reports, that most breaches were considered avoidable if security basics had been followed. Only 4 percent of breaches assessed required difficult and expensive protective measures.

The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time. And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.

The collaboration with the Secret Service, announced in May, enabled this year's Data Breach Investigations Report to provide an expanded view of data breaches over the last six years. With the addition of Verizon's 2009 caseload and data contributed by the Secret Service -- which investigates financial crimes -- the report covers 900-plus breaches involving more than 900 million compromised records."This year we were able to significantly widen our window into the dynamic world of data breaches, granting us an even broader and deeper perspective," said Peter Tippett, Verizon Business vice president of technology and enterprise innovation. "By including information from the Secret Service caseload, we are expanding both our understanding of cybercrime and our ability to stop breaches."

Michael Merritt, Secret Service assistant director for investigations, said: "The Secret Service believes that building trusted partnerships between all levels of law enforcement, the private sector and academia has been a proven and successful model for facing the challenges of securing cyberspace. It is through our collaborative approach with established partnerships that the Secret Service is able to help expand the collective understanding of breaches and continue to augment our advanced detection and prevention efforts."

This year's key findings both reinforce prior conclusions and offer new insights. These include:
  --  Most data breaches investigated were caused by external sources.
      Sixty-nine percent of breaches resulted from these sources, while only
      11 percent were linked to business partners.  Forty-nine percent were
      caused by insiders, which is an increase over previous report
      findings, primarily due in part to an expanded dataset and the types
      of cases studied by the Secret Service.
  --  Many breaches involved privilege misuse. Forty-eight percent of
      breaches were attributed to users who, for malicious purposes, abused
      their right to access corporate information.  An additional 40 percent
      of breaches were the result of hacking, while 28 percent were due to
      social tactics and 14 percent to physical attacks.
  --  Commonalities continue across breaches.  As in previous years, nearly
      all data was breached from servers and online applications. Eight-five
      percent of the breaches were not considered highly difficult, and 87
      percent of victims had evidence of the breach in their log files, yet
      missed it.
  --  Meeting PCI-DSS compliance still critically important.  Seventy-nine
      percent of victims subject to the PCI-DSS standard hadn't achieved
      compliance prior to the breach.
The State of Cybercrime: 2010
The report said the decline in the overall number of data breaches may be due to a number of factors, including "law enforcement's effectiveness in capturing criminals." The report cited the arrest of Albert Gonzalez, one of the world's most notorious computer hackers, who pleaded guilty to helping run a global ring that stole hundreds of millions of payment card numbers and who was sentenced last year to 20 years in prison.

"The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime," said Tippett. "As we are able to share more information through the use of the VERIS security research framework to gather comparative security data such as the caseload of the Secret Service, we believe we will be even better equipped to arm organizations with best practices, processes, tools and services that will continue to make a difference."

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the "Big Three" of industries affected (33 percent, 23 percent and 15 percent, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon's caseload. A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.More than half of the breaches investigated by Verizon in 2009 occurred outside the U.S., while the bulk of the breaches investigated by the Secret Service occurred in the U.S. The report finds no correlation between an organization's size and its chances of suffering a data breach. "Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size," Verizon researchers noted.

The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits. These actions include:

  --  Restrict and monitor privileged users. The data from the Secret
      Service showed that there were more insider breaches than ever before.
      Insiders, especially highly privileged ones, can be difficult to
      control. The best strategies are to trust but verify by using
      pre-employment screening; limit user privileges; and employ separation
      of duties. Privileged use should be logged and messages detailing
      activity generated to management.
  --  Watch for 'Minor' Policy Violations. The study finds a correlation
      between seemingly minor policy violations and more serious abuse. This
      suggests that organizations should be wary of and adequately respond
      to all violations of an organization's policies.  Based on case data,
      the presence of illegal content on user systems or other inappropriate
      behavior is a reasonable indicator of a future breach. Actively
      searching for such indicators may prove even more effective.
  --  Implement Measures to Thwart Stolen Credentials.  Keeping
      credential-capturing malware off systems is priority No. 1. Consider
      two-factor authentication where appropriate. If possible, implement
      time-of-use rules, IP blacklisting and restricting administrative
      connections.
  --  Monitor and Filter  Outbound Traffic.  At some point during the
      sequence of events in many breaches, something (data, communications,
      connections) goes out externally via an organization's network that,
      if prevented, could break the chain and stop the breach. By
      monitoring, understanding and controlling outbound traffic, an
      organization can greatly increase its chances of mitigating malicious
      activity.
  --  Change Your Approach to Event Monitoring and Log Analysis. Almost all
      victims have evidence of the breach in their logs. It doesn't take
      much to figure out that something is amiss and make needed changes.
      Organizations should make time to review more thoroughly
      batch-processed data and analysis of logs. Make sure there are enough
      people, adequate tools and sufficient processes in place to recognize
      and respond to anomalies.
  --  Share Incident Information. An organization's ability to fully protect
      itself is based on the information available to do so.  Verizon
      believes the availability and sharing of information are crucial in
      the fight against cybercrime.  We commend all those organizations that
      take part in this effort, through such data-sharing programs as the
      Verizon VERIS Framework.
A complete copy of the "2010 Data Breach Investigations Report" is available at http://www.verizonbusiness.com/go/2010databreachreport/.