Insiders were at least partly responsible for nearly half the data breaches investigated by Verizon Business and the U.S. Secret Service in 2009, but external attacks continue to account an overwhelming majority of records stolen, according to the 2010 Verizon Data Breach Investigation Report. The third annual report is the first to include data from the Secret Service, which accounts for a substantial increase (26 percent) in reported insider attacks over the previous year. However, more than 138 million of the 143 million records stolen were attributed to external attacks, with the balance rest split about equally between insider compromises and multiple agents, generally a combination of outside attackers working with employees or partners.
This massive impact of external attacks has held true for the more than 900 million stolen records stolen in the six years covered by the reports. The successful attacks continue to rely, more often than not by exploiting things like misconfigurations or default admin passwords. "It's painful watching the companies fall victim to the same stupid problems," said Bryan Sartin, director of investigative response for Verizon Business. "The purpose of the data breach report is to give readers insight into the underpinnings of cybercrime and the ability to dissect, look at how what causes the breaches and what can they do to keep from being the next victim."
More than half of the insiders involved in data breaches were what Verizon characterizes as "regular employees/end users." Another quarter were split evenly between financial/accounting staff and network/system administrators. Executives accounted for 7 percent of the insider breaches. Social tactics were involved in more than a quarter of the total breaches, a large increase over the previous year that the report attributes to the influx of insider incidents in the Secret Service data. These tactics include solicitation or bribery, phishing (or spear-phishing, etc.), deception, spoofing, extortion or some sort of scam. However, these tactics only account for about 3 percent of the stolen records.
In the most successful breach cases, hacking and malware were each involved in the theft of about 95 percent of the records stolen. The report shows that external attackers typically gain access to the victim network through a hack -- almost always through a Web application, very often using SQL injection - then plant malware to exploit their foothold and collect and remove data. Anti-malware software is generally ineffective, because malware is not used to gain initial entry, and attackers are customizing their malware to evade detection. "Malcode is almost never the point of entry," said Sartin. "We still see a lot of customization, and anti-virus doesn't pick it up."
In the cases where most of the data (more than 80 percent) is stolen, attackers install malware with backdoor functionality to gain remote access and control, capture the data and send it out. System/network utilities such as PsTools and Netcat plays a role in these attacks. Keyloggers are also very popular, but only in low-yield attacks, responsible for just 1 percent of the stolen records.
