Verizon Report Shares Insights After Analyzing 47,000 Data Breaches

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.

 

Verizon’s 2013 Data Breach Investigations Report analyzes thousands of 2012 incidents, using data supplied from a variety of partners (including police and other agencies in Holland, Malaysia, Australia, Denmark, Spain, Ireland, and the United States). They were limited to data breaches reported to third parties. The 47,000 incidents led to 621 actual data breaches.

While many still blame insiders for the majority of data breaches, Verizon found that 92% were perpetrated by outsiders. The discrepancy may be due, at least in part, to the fact that Verizon only had access to information on incidents and breaches reported outside the affected organization.

Not totally surprising given what we read in the news, state-affiliated actors were blamed for 19% of the breaches.

The ways in which breaches occurred is interesting:

  • 52% involved some form of hacking (significantly less than in prior years).
  • 76% exploited weak or stolen credentials (also down from prior years).
  • 40% used malware (again less than prior years).
  • 35% involved physical attacks (an increase); this includes ATM skimming.
  • 29% leveraged social tactics (also up).
  • 13% involved misuse of privileged access.

Verizon comments that “The proportion of breaches incorporating social tactics like phishing was four times higher in 2012. Credit the rise of this challenger to its widespread use in targeted espionage campaigns.”

They also say that “It’s notable that the majority (but no longer a super-majority) of breaches result from simpler opportunistic attacks than from money-hungry organized criminal groups”.

Although the largest sector hit by the incidents is Finance, this is because there was a high level of ATM-skimming. See this article focused on ATM skimming and this one that describes how it is done.

When you remove ATM skimming, Verizon says that everybody is at risk. Attacks have been against all sectors of the economy, organizations of all sizes, and individuals. However, those organizations where it is easier to extract gain from a data breach are more at risk than others.

Where did these external attacks originate? Verizon has an interesting commentary:

“For the majority (>75%) of breaches in our dataset, the threat actor’s country of origin was discoverable, and these were distributed across 40 different nations. ... Motive correlates very highly with country of origin. The majority of financially motivated incidents involved actors in either the U.S. or Eastern European countries (e.g., Romania, Bulgaria, and the Russian Federation). 96% of espionage cases were attributed to threat actors in China and the remaining 4% were unknown. This may mean that other threat groups perform their activities with greater stealth and subterfuge. But it could also mean that China is, in fact, the most active source of national and industrial espionage in the world today.”

Verizon says that 30% of external attacks came from China, but 28% were from Romania and 18% from the USA.

The discussion of internal breaches (on page 23 of the report) is interesting.

“Consistent with prior years, most insider breaches were deliberate and malicious in nature, and the majority arose from financial motives. Of course, not all insiders are about malice and money. Inappropriate behaviors such as “bringing work home” via personal e-mail accounts or sneakernetting data out on a USB drive against policy also expose sensitive data to a loss of organizational control. While not common in our main dataset, unintentional actions can have the same effect.”

Important is this observation:

“Data theft involving programmers, administrators, or executives certainly makes for interesting anecdotes, but is still less common in our overall dataset than incidents driven by employees with little to no technical aptitude or organizational power.”

Verizon references a report by the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute, quoting:

“More than 30% of insiders engaging in IT sabotage had a prior arrest history. Note, however, this statistic may not be meaningful. For instance, a 2011 study found approximately 30% of U.S. adults have been arrested by age 23.”

“In more than 70% of IP theft cases, insiders steal the information within 30 days of announcing their resignation.”

“More than half of insiders committing IT sabotage were former employees who regained access via backdoors or corporate accounts that were never disabled.”

The Verizon report doesn’t discuss the losses suffered as a result of breaches. I understand that insider attacks that involve executives can result in a high level of loss, and this should be considered as well as the sheer volume of attacks reviewed in the Verizon report.

There is a wealth of information about all the methods attackers deploy, and this should be essential reading for everybody charged with defending the organization or providing assurance that the defenses are adequate.

A troubling revelation is that not only do organizations take far too long to detect an intrusion of data breaches, but the likelihood of detection doesn’t increase much as the intrusion extends to days and more. 66% remained undetected for months!

In fact 69% of the breaches were not even detected by the victim! They were detected by customers, intelligence agencies, ISPs, and so on.

I hate lists of desired controls because I always prefer to take a risk-based approach. However, organizations should consider the list at page 57, together with all the recommended actions in that section of the report.

What are your thoughts on this topic? What do you like/dislike about the report?

I close with my greetings to all for a healthy, prosperous, and joyous holiday season and new year.

Posted on Dec 14, 2013 by Norman Marks

Share This Article:    

  1. On the subject of ATM thefts, I have absolutely no sympathy with the banks. It has been possible to completely fraud-proof an ATM for over two years now, (see our website) and any bank which has failed to do so, deserves what it gets. These days, it's possible to have your card stolen, on the back of which you wrote the PIN, while a spy camera watched your last access, and the thieves still can't access your cash. On the subject of security breaches, I would suggest that these are the result of culpable carelessness - especially when I see you mention the time it took some organisations to detect an intrusion. Our IDS/IPS detects a a hack attempt, reports the IP address to the ISP, and adds a new firewall rule in under a second. Months? They should have their internet connection revoked.
  1. “More than 30% of insiders engaging in IT sabotage had a prior arrest history.”  Disturbing.  However what is more disturbing is “this statistic may not be meaningful” – what is does mean is that Human Resources is not doing their job in helping to vet these employees before they are hired.  Easy for me to say in a casino industry (where we do background checks), but something for other industries to think about in terms of adequate preventive controls.  Perhaps it should be recommended control #21?

  1. "Christmas is not as much about opening our presents as opening our hearts" (Janice Maeditere) Thanks for the wonderful sharings and may you have a safe and fruitful year ahead.

Leave a Reply