08:06 AM

Breaches Down, Insider Attacks Up, Verizon Business/Secret Service Study Says

PCI compliance, saturation of black market may have driven decline, investigators say

The number of records compromised in major data breaches dropped sharply last year, according to a new study being issued today. But the causes of those breaches changed dramatically, shifting strongly toward insider attacks.

Those are just two of the conclusions revealed in the 2010 Verizon Data Breach Investigations Report (PDF), a study that has been conducted annually by the forensics unit of Verizon Business, and this year combines Verizon's data with breach data compiled by the U.S. Secret Service.

One of the most striking figures in the new study is that even after combining its own numbers with those of the Secret Service, Verizon recognized a drop in the number of records breached last year. After seeing more than 285 million records compromised in 2008 -- 361 million records when combined with the Secret Service data -- the combined entities saw breaches of only 143 million records in 2009.

"There's some speculation that PCI compliance may be a factor in the drop," says Bryan Sartin, director of investigative response at Verizon Business, "but there are a lot of factors to weigh here. Realistically, we won't be able to say for sure what caused the drop-off until we've got a couple of years of data to look at."

The investigators did notice a marked drop-off in breaches following the indictment of Albert Gonzalez -- the cybercriminal credited with leading the hacks of TJX, Heartland Payment Systems, and others -- in 2009, Sartin says. "For 30 to 45 days, the rate of new crimes slowed down," he reports. "The number of incidents in Japan, which has historically been very quiet, rose to almost the same level as the U.S. There was a lot of shifting during that time period."

The drop-off in records affected might also be a reflection of a shift in targets -- cybercriminals are becoming more interested in passwords and privileges than in pure credit card data, Sartin observes. "Some of it is sheer economics," he says. "The black market [for credit card data] is only so big. In the last year, we saw a drop in the market price from $9 to $16 per record to as low as 10 or 20 cents per record. It's just not as profitable a business."

While the volume of breaches shifted dramatically between Verizon's 2009 report and the 2010 report, so did the source of the attacks, Sartin notes. While external forces still reign supreme -- 70 percent of all breaches resulted from external agents -- the percentage of cases that involved insiders rose to 48 percent, an increase of 26 percent over the previous year. Some of the shift was caused by the integration of data from the Secret Service, which sees more insider cases than Verizon, but that was not the only factor in the shift, Sartin says.

"We're seeing a lot more attacks that are done through employees, like systems administrators and network administrators," Sartin reports. "People are angry. They hate their boss, they hate their jobs. The outsiders recruit them, and then use their privileged passwords to do their work."

Interestingly, he says, the insider with the credentials is usually the one who gets arrested, and they often can't identify the outsider who put them up to the crime. "Often, they never get paid for the information they give out," Sartin says.

Surprisingly, although 40 percent of the cases involved some form of hacking (down 24 percent from a year ago), most of the breaches investigated by Verizon and the Secret Service did not involve the exploitation of patchable vulnerabilities in enterprise applications. "We saw almost none of that," he said. "Most of what we saw was simple exploitation of guessable passwords. These weren't very sophisticated hacks at all."

As with past Verizon Data Breach Investigation Reports, the researchers found that most companies still are doing a poor job of detecting breaches to their own systems. In the majority of cases, the breach was discovered by some external entity -- such as a business partner or auditor -- and in most cases, the breach had been in place for some length of time.

"Everyone is still failing abysmally to shorten the lag time between breach and awareness of the breach," Sartin says. "Sometimes people don't find out for months that they've been breached. Sometimes they don't act quickly when they find out."

Interestingly, Verizon finds that in about 86 percent of cases, no sophisticated forensics tools are required to locate the source of a breach. The breaches show up clearly in the system and security logs of the victim. "The breach was there, but nobody saw it because nobody was looking at the logs," he says. "It was right there in front of them."

Many enterprise IT staffs resist log analysis because there are so many logs in the average organization, and because there is a large volume of data residing in each log, Sartin observes. "They say it's like finding a needle in a haystack," he says.

But in many cases, the evidence of SQL injection or other external tampering stands out from the rest of the log data like a sore thumb, Sartin says. "In most cases, it's not an issue of trying to find a needle," he says. "If you just looked at the haystacks, you'd see it."

While the industry continues to decry the increasing sophistication of hackers, most of the actual exploits used to attack companies are fairly simple, Sartin says. "Some 87 percent of the breaches we see are easily preventable with the use of simple tools, like vulnerability scanners, and simple processes for using them," he says. "If you just do the basics right, you'd be surprised at how often a hacker will pass you by, because there are so many easier targets out there that don't."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.