23 March 2012

Hackfatigue

Yet another breathless data breach advertorial, this time from Verizon, which claims "2011 Was the Year of the 'Hacktivist".

The 80 page Verizon 2012 Data Breach Investigations Report [PDF] - decorated with pretty graphs and impressive-looking statistics - emotes about "the dramatic rise of hacktivism - cyberhacking to advance political and social objectives" before reporting that the "majority of breaches are avoidable with sound security measures". Verizon offers security solutions along with connectivity.

The report indicates that
In 2011, 58% of data stolen was attributed to hacktivism, according to the annual report released today from Verizon. The new trend contrasts sharply with the data-breach pattern of past several years, during which the majority of attacks were carried out by cybercriminals, whose primary motivation was financial gain.

Seventy-nine percent of attacks represented in the report were opportunistic. Of all attacks, 96% were not highly difficult, meaning they did not require advanced skills or extensive resources. Additionally, 97% of the attacks were avoidable, without the need for organizations to resort to difficult or expensive countermeasures. The report also contains recommendations that large and small organizations can implement to protect themselves.

Now in its fifth year of publication, the report spans 855 data breaches across 174 million stolen records - the second-highest data loss that the Verizon RISK (Research Investigations Solutions Knowledge) team has seen since it began collecting data in 2004. Verizon was joined by five partners that contributed data to this year's report: the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police.

"With the participation of our law enforcement partners around the globe, the '2012 Data Breach Investigations Report' offers what we believe is the most comprehensive look ever into the state of cybersecurity," said Wade Baker, Verizon's director of risk intelligence.
Modest to a fault, those Verizon people, who announce that "Our goal is to increase the awareness of global cybercrime in an effort to improve the security industry's ability to fight it while helping government agencies and private sector organizations develop their own tailored security plans".

Supposedly
Breaches originated from 36 countries around the globe, an increase from 22 countries the year prior. Nearly 70% of breaches originated in Eastern Europe, with less than 25% originating in North America.

External attacks remain largely responsible for data breaches, with 98% of them attributable to outsiders. This group includes organized crime, activist groups, former employees, lone hackers and even organizations sponsored by foreign governments. With a rise in external attacks, the proportion of insider incidents declined again in this year's report, to 4%. Business partners were responsible for less than 1 percent of data breaches.

In terms of attack methods, hacking and malware have continued to increase. In fact, hacking was a factor in 81% of data breaches and in 99% of data lost. Malware also played a large part in data breaches; it appeared in 69% of breaches and 95% of compromised records. Hacking and malware are favored by external attackers, as these attack methods allow them to attack multiple victims at the same time from remote locations. Many hacking and malware tools are designed to be easy and simple for criminals to use.

Additionally, the compromise-to-discovery timeline continues to be measured in months and even years, as opposed to hours and days. Finally, third parties continue to detect the majority of breaches (92%).
Data in the 2012 report is claimed to demonstrate that:
Industrial espionage revealed criminal interest in stealing trade secrets and gaining access to intellectual property. This trend, while less frequent, has serious implications for the security of corporate data, especially if it accelerates.

External attacks increased. Since hacktivism is a factor in more than half of the breaches, attacks are predominantly led by outsiders. Only 4% of attacks implicate internal employees.

Hacking and malware dominate. The use of hacking and malware increased in conjunction with the rise in external attacks in 2011. Hacking appeared in 81% of breaches (compared with 50% in 2010), and malware appeared in 69% (compared with 49% in 2010). Hacking and malware offer outsiders an easy way to exploit security flaws and gain access to confidential data.

Personally identifiable information (PII) has become a jackpot for criminals. PII, which can include a person's name, contact information and social security number, is increasingly becoming a choice target. In 2011, 95% of records lost included personal information, compared with only 1% in 2010.

Compliance does not equal security. While compliance programs, such as the Payment Card Industry Data Security Standard, provide sound steps to increasing security, being PCI compliant does not make an organization immune from attacks.
Only 1% in 2010 and 95% in 2011? Looking beyond the triteness of "being PCI compliant does not make an organization immune from attacks" - a first year undergrad conclusion - it's difficult to embrace a report with problematical figures that aren't sourced or readily verified.