Criminals Cast Wide Net: Verizon Reports More Numerous But Smaller Breaches

Cyber criminals have apparently switched gears dramatically, eschewing big data breaches in favor of more low-risk attacks against poorly defended targets. The 2011 Verizon Data Breach Investigations Report shows a precipitous drop in the number of records stolen--from 141 million in 2009 to 4 million in 2010, even as the caseload of breaches investigated increased more than six-fold.

"We're seeing a retooling by the folks who are behind this," says Chris Novak, global forensics investigator for Verizon. "We're not seeing them target large-scale data breaches; they're hitting smaller scale organizations." Novak cites successful arrest and prosecution in the criminal underground as a factor. Criminals are shying away from high-risk "big jobs" and picking on smaller targets, where security is likely to be weaker.

Most of these attacks, 83%, are classified as opportunistic rather than targeted against particular organizations, indicating the use of automated weapons and snatch-and-run tactics rather than long-term intrusions in which criminals continue to exfiltrate records undetected over long periods of time. Malware was a factor in almost half the breaches, an increase from 38% in 2009, which may also indicate a trend to automation and a lower chance of getting caught.

"When we have an opportunity to interview perpetrators, the common thread is that they rarely know who they hacked into," Novak says. "They don't care what the sign on the outside of the building says; cash is cash. Why go after Fort Knox when I run a much better risk of getting caught, when I can knock over a bunch of liquor stores? The job is easier to pull off, and the risk is a lot less."

There may also be a glut of personally identifiable information (PII), credit card numbers and other mass-volume information, Novak says. The value may have decreased as the criminal market reaches a saturation point, so records that may have fetched $30, $50 or $100 at one time may be worth only cents on the dollar. However, payment card information is still a popular target, he says, because it is the easiest to monetize, and randomly stolen intellectual property has no value unless the thief is in a position to use it.This is the fourth Verizon Data Breach Investigations Report. The first encompassed several years of investigations. For the second straight year, the report includes investigations by the U.S. Secret Service, which is responsible for investigating financial crime. In an effort to continue to expand the pool of cases, this year's report also includes selected investigations by the Dutch National High Tech Crime Unit, which Novak says is one of the most active cyber crime investigation organizations in the world.

Another startling change was the percentage of breaches that involved external agents--92%, a 22% increase over 2009. Internal agents were responsible for 17%, a 31% decrease. (Some breaches used both internal and external agents.) The report states that these figures are more a result of a huge increase in attacks involving external agents, rather than a drop in internal techniques.

Verizon hypothesizes that the increase "reflects an ongoing industrialization process of sorts in attack methods, creating economies of scale by refining standardized, automated and highly repeatable attacks directed at smaller, vulnerable and largely homogeneous targets"

What has not changed is that almost all of these breaches were easily avoidable, a recurring theme throughout every report. The breaches did not require particularly sophisticated attacks: 97% were avoidable through simple or intermediate controls.

See more on this topic by subscribing to Network Computing Pro Reports Alert: The Long Arm of Database Security (subscription required).