RECORD : 90 data breaches in 2008

RECORD : 90 data breaches in 2008

By Linda Musthaler,

Network World,

June 26, 2009

http://www.networkworld.com/newsletters/techexec/2009/062909bestpractices.html

Data breaches continue to plague organizations in virtually every industry. In some breaches, the root cause is fairly obvious -- a lost or stolen laptop or USB stick, for instance. In other cases, it takes a forensic investigation to piece together the details of what happened and how.

The Verizon Business RISK Team is a world-renowned data forensics organization that investigates all sorts of suspected breaches. Since 2004, this team has worked on more than 600 cases. Fortunately for us, the team is willing to share its collective knowledge and provide an analysis of the trends in breaches, including how they happen and what the root causes and contributing factors are.

10 woeful takes of data gone missing

I featured some of their analysis in my February article, "Don't Be a Data Loss Victim". Since then, the RISK Team has published its latest report, the 2009 Data Breach Investigations Report (DBIR). This is a good read for any organization that is trying to plan where and how to allocate scarce resources. For example, the prevailing wisdom says that company insiders are a major threat for accidentally exposing data or intentionally stealing it. In the experience of the Verizon team -- and mind you, the team's universe is not all breaches, but only the ones its members investigate -- the insider threat is much less significant than those threats that come from outside the company. Knowing this, an organization can plan its defenses accordingly.

The 2009 report focuses on the more than 90 confirmed breaches the team investigated in 2008. The number of sensitive data records exposed through these breaches totals more than 285 million. That's more records exposed in one year than the sum of all the records exposed in the four previous years.

Here are some notable statistics from the 2009 report:

• 74% of the breaches resulted from external sources. This percentage is just about unchanged from previous years.

• 91% of all compromised records were linked to organized criminal groups. It's no surprise such groups are after data they can monetize quickly, such as credit card data and financial records.

• 67% of the breaches were aided by significant errors, such as not applying a patch for a known vulnerability. This statistic is unchanged since previous years, meaning we haven't learned yet how important it is to watch out for the simple things that are in our control.

• 38% of the 2008 attacks utilized malware to plant the means to steal data. This is trending upward as malware is now an essential component to nearly all large-scale breaches. As the report says, "Hacking gets the criminal in the door, but malware gets him the data."

Network managers can take solace in one bit of information from Verizon's report: a small percentage of 2008 hacks targeted routers, switches and other network devices. What's more, wireless networks are actually a rare attack vector for recent data breaches. (Perhaps network managers learned from the atrocious TJX Companies breach in 2007 in which 94 million accounts were compromised. Hackers utilized outdated wireless network security in retail stores to gain access to unencrypted payment card data.)

Another interesting take-away is the analysis of what types of information assets are often compromised. In the scope of the Verizon investigations, 94% of the breaches (and 99.9% of the pilfered records) are attributed to online assets, including servers and applications. This is significant because many companies fret about data on user systems, in offline storage and in transit across networks and devices. Verizon reports that 17% of the breaches involving only .01% of the data occurred with user systems; 2% of the breaches impacting .04% of the data involved offline data; and no breaches occurred with networks and devices. Bottom line: focus on protecting data on servers and applications.

Understandably, no organization has unlimited resources for data protection, and therefore risk mitigation efforts must be focused. Based on the observations made over five years and across 600 investigations, the Verizon Business RISK Team provides five recommendations for major activities that can greatly help reduce the risk of a data breach:

• Ensure that essential controls are met.

• Find, track and assess data.

• Collect and monitor event logs.

• Audit user accounts and credentials.

• Test and review Web applications.

You can read the entire 2009 Data Breach Investigations Report at http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf.