2013 Verizon Data Breach Report Is Out - Risks Increase

Verizon’s annual “Data Breach Investigations Report” (“DBIR”) is a must read for data and information security professionals and we eagerly await each release.  The 2013 DBIR is now out and being carefully read by information security professionals.  Now in its sixth year, each DBIR provides a broad overview of the changing information security and data breach landscape from year to year, combining Verizon’s own Risk Team breach data with 19 participating organizations around the world to glean lessons learned by analyzing 47,000+ security incidents and 621 confirmed data breaches. What does this year's Verizon Data Breach Investigations Report reveal? Read on.

The DBIR is broadly broken down into reviewing threat actors, threat actions, assets and data that are frequently compromised, attack targeting, breach timelines and breach discovery methods topped with final conclusions and recommendations.  We recommend a leisurely full read of the DBIR's 63-pages (Beach weather is approaching!) as it vividly highlights trends, major breaches and new threat vectors to provide a clear snapshot of the prior year’s infosec battles with often eye-popping findings. Can’t wait until you’re sitting by the pool to read the full DBIR? Not to worry, here’s a high level sampling of its findings followed by the DBIR’s eight key recommendations:

  • As in the prior 2012 DBIR, the clear leading source of data breaches continues to be “financially motivated cybercrime” originating from the US or Eastern Europe (i.e., Romania, Bulgaria and the Russian Federation), which accounted for 75% of all opportunistic breaches studied by the DBIR.
  • Somewhat more surprising to many (but not to active infosec professionals) is that 19% of all attacks studied by the DBIR were conducted by “state-affiliated actors” – in short state-sponsored “cyber espionage” seeking acquisition of classified information, trade secrets, intellectual property, financial data and insider information.
  • A notable proportion of incidents, holding study from 2011 to 2012, reviewed by the DBIR track back to “hacktivists” whose goals are “to maximize disruption and embarrassment to their victims.”
  • Contrary to popular memes, only 14% of attacks involve “insiders” – whereas external attacks remain responsible for 92% of data breaches. Interestingly, “only” 1% of data breaches were traceable to business partners.
  • While sophistication of attacks is growing, less than 1% of breaches in this year’s DBIR were attributable to tactics deemed high on the VERIS difficulty scale. In fact, the DBIR notes that most breaches could still be easily prevented, with 78% of techniques reviewed judged to be in the low or very low category of sophistication.
  • Regarding the corporate actors involved in internal data breaches, customer service personnel were responsible for a whopping 46% - followed up by end-users (17%), administrators (16%), managers (7%) and executives (5%).
  • Vividly highlighting the rise of social engineering and media, the proportion of breaches utilizing social tactics, like phishing, was 4x higher in 2012 than in prior years.
  • As to attack methods, yes, hacking remains the number one breach vector, factoring in 52% of data breaches. Surprised?
  • Seventy-six percent of network intrusions resulted from weak or stolen credentials; 40% relied on malware in some fashion; 35% involved physical attacks (e.g., ATM skimming); and 29% leveraged social tactics (i.e., phishing).
  • Interestingly, not a single case in which the Verizon Investigative Response team was called in involved data “in transit,” whereas two-thirds of breaches involved data “at rest” with the remaining breaches occurring during processing.
  • Spotting and detecting a data breach still takes significant time, which the length of time getting longer. In the 2012 DBIR 56% of breaches took a month or more to be discovered. The 2013 DBIR reports the sobering finding that 66% of breaches took months or even years to discover (62% - months; 4% - years).
  • Worse 9% of breaches are discovered by customers first and 28% by unrelated external parties. In a bright spot of news 24% of breaches are identified by fraud detection mechanisms. Nevertheless, the vast majority of breaches are discovered by external parties – not internal IT audits or intrusion detection procedures.

Recommendations: The DBIR provides 8 key recommendations resulting from its findings. They are:

  • Eliminate unnecessary data; keep tabs on what’s left.
  • Perform regular checks to ensure that essential controls are met.
  • Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.
  • Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection.
  • Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology.
  • Regularly measure things like “number of compromised systems” and “mean time to detection”, and use these numbers to drive better practices.
  • Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security.
  • Don’t underestimate the tenacity of your adversaries, especially espionage driven attackers, or the power of the intelligence and tools at your disposal.

The vast amount of analysis and data presented in the 2013 DBIR takes time to digest and respond to, however, the most frightening finding  in the entire DBIR is organizations' inability to quantify data loss.  What does that mean?   According to Verizon, for breach events in its data set, entities had a complete and accurate count of compromised records in only 15% of breach incidents.  That is entities could not determine the full scope of a breach in 85% of breach incidents.

To discuss the 2013 Verizon DBIR or to review how to apply its findings to your own risk management programs or data security policies and procedures feel free to contact me or any of the attorneys at the InfoLawGroup.