Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Verizon Offers Mid-Year Report On Security Breaches

Verizon business has released a mid-year supplement to its Data Breach Report, providing details on 15 categories of attacks and exploits that its internal security teams say are the most prevalent. In addition, the report provides details on how the common attacks tend to act in operation and tips on mitigating the risks of these threats. The fifteen categories are:

  • Keylogging and spyware
  • Backdoor or command/control
  • SQL injection
  • Abuse of system access/privileges
  • Unauthorized access via default credentials
  • Violation of acceptable use and other policies
  • Unauthorized access via weak or misconfigured access control lists (ACL)
  • Packet Sniffer
  • Unauthorized access via stolen credentials
  • Pretexting or social engineering
  • Authentication bypass
  • Physical theft of asset
  • Brute-force attack
  • RAM scraper
  • Phishing (and endless "ishing" variations).

Bryan Sartin, director of investigative response and head of the forensics team at Verizon, says that the supplement is the result of feedback from the security professionals and managers who read the annual report on data breaches. He says, "Our blog helps us pick up information from the public, and we also get information from our customers. Our feedback from the '09 report had some common themes. One of the most common things was that people needed more narrative. They love the statistics and narratives, but people wanted the case studies, the prose about what we found."

More than just stories, though, the readers wanted highly-targeted information that would be directly useful in their work. "IT people seem to want a 'silver bullet' where they have something to take to a non-technical manager to help them understand the importance of this security thing," he says. Another issue that readers wanted addressed was a perceived bias about Verizon's reports that insider threats are less of a problem than other security groups claim. The authors explain the problem primarily in terms of how breaches are classified by Verizon versus other groups. Many public disclosures, for instance, don't include the source  of the breach on the initial report.

Sartin uses key-loggers as an example of the kind of information the report contains. For key-loggers, Verizon had details, the industries most hit, the percentage of their case load that consisted of key-logger exploits and ways that organizations can detect the presence of key-loggers in the environment. They also give mitigators ways that the organization can deal with each threat type. Sartin says, "One of the best parts of this is that we hope readers can take the example and bring it to one of their managers and say 'here's a company that looks like us, and they had a breach, and if you look at the key indicators and mitigators, they're set up like we are, so we need to be more active.'"

The second part of the study deals more explicitly with the bias question. Verizon compared its records to those of datalossdb.org. Verizon's forensics teams also worked with datalossdb to compare the data sets developed by each group. Ultimately, they decided to include a separate Appendix to explicitly compare the observations of each organization. According to Sartin, once a reader begins looking carefully at each report, the reasons behind any perceived differences become clear. "You can see that we have a fundamentally different orientation than they do. They look at things like devices lost, where we verify data loss from intrusions and things like that. If you take away the "at risk" categories from their data you can see that there aren't a ton of difference except in a few areas," he says.

  • 1