2013 Data Breach Investigations Report analyzes thousands of 2012 incidents, using data supplied from a variety of partners (including police and other agencies in Holland, Malaysia, Australia, Denmark, Spain, Ireland, and the United States). They were limited to data breaches reported to third parties. The 47,000 incidents led to 621 actual data breaches.
While many still blame insiders for the majority of data breaches, Verizon found that 92% were perpetrated by outsiders. The discrepancy may be due, at least in part, to the fact that Verizon only had access to information on incidents and breaches reported outside the affected organization.
Not totally surprising given what we read in the news, state-affiliated actors were blamed for 19% of the breaches.
The ways in which breaches occurred is interesting:
- 52% involved some form of hacking (significantly less than in prior years).
- 76% exploited weak or stolen credentials (also down from prior years).
- 40% used malware (again less than prior years).
- 35% involved physical attacks (an increase); this includes ATM skimming.
- 29% leveraged social tactics (also up).
- 13% involved misuse of privileged access.
Verizon comments that "The proportion of breaches incorporating social tactics like phishing was four times higher in 2012. Credit the rise of this challenger to its widespread use in targeted espionage campaigns."
They also say that "It's notable that the majority (but no longer a super-majority) of breaches result from simpler opportunistic attacks than from money-hungry organized criminal groups."
Although the largest sector hit by the incidents is Finance, this is because there was a high level of ATM-skimming. See
this article focused on ATM skimming and
this one that describes how it is done.
When you remove ATM skimming, Verizon says that everybody is at risk. Attacks have been against all sectors of the economy, organizations of all sizes, and individuals. However, those organizations where it is easier to extract gain from a data breach are more at risk than others.
Where did these external attacks originate? Verizon has an interesting commentary:
"For the majority (>75%) of breaches in our dataset, the threat actor's country of origin was discoverable, and these were distributed across 40 different nations. ... Motive correlates very highly with country of origin. The majority of financially motivated incidents involved actors in either the U.S. or Eastern European countries (e.g., Romania, Bulgaria, and the Russian Federation). 96% of espionage cases were attributed to threat actors in China and the remaining 4% were unknown. This may mean that other threat groups perform their activities with greater stealth and subterfuge. But it could also mean that China is, in fact, the most active source of national and industrial espionage in the world today."
Verizon says that 30% of external attacks came from China, but 28% were from Romania and 18% from the USA.
The discussion of internal breaches (on page 23 of the report) is interesting.
"Consistent with prior years, most insider breaches were deliberate and malicious in nature, and the majority arose from financial motives. Of course, not all insiders are about malice and money. Inappropriate behaviors such as "bringing work home" via personal e-mail accounts or sneakernetting data out on a USB drive against policy also expose sensitive data to a loss of organizational control. While not common in our main dataset, unintentional actions can have the same effect."
Important is this observation:
"Data theft involving programmers, administrators, or executives certainly makes for interesting anecdotes, but is still less common in our overall dataset than incidents driven by employees with little to no technical aptitude or organizational power."
Verizon references a report by the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute, quoting:
"More than 30% of insiders engaging in IT sabotage had a prior arrest history. Note, however, this statistic may not be meaningful. For instance, a 2011 study found approximately 30% of U.S. adults have been arrested by age 23."
"In more than 70% of IP theft cases, insiders steal the information within 30 days of announcing their resignation."
"More than half of insiders committing IT sabotage were former employees who regained access via backdoors or corporate accounts that were never disabled."
The Verizon report doesn't discuss the losses suffered as a result of breaches. I understand that insider attacks that involve executives can result in a high level of loss, and this should be considered as well as the sheer volume of attacks reviewed in the Verizon report.
There is a wealth of information about all the methods attackers deploy, and this should be essential reading for everybody charged with defending the organization or providing assurance that the defenses are adequate.
A troubling revelation is that not only do organizations take far too long to detect an intrusion of data breaches, but the likelihood of detection doesn't increase much as the intrusion extends to days and more. 66% remained undetected for months!
In fact 69% of the breaches were not even detected by the victim! They were detected by customers, intelligence agencies, ISPs, and so on.
I hate lists of desired controls because I always prefer to take a risk-based approach. However, organizations should consider the list at page 57, together with all the recommended actions in that section of the report.
What are your thoughts on this topic? What do you like/dislike about the report?
I close with my greetings to all for a healthy, prosperous, and joyous holiday season and new year.