Risk
7/28/2010
05:45 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Verizon Data Breach Report: Some Big Surprises

One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.

One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.For an overview of the report headlines, take a look at Thomas Claburn's story from this morning, Stolen Records, Data Prices Decline. Essentially, the market for stolen records has collapsed under its own weight: with roughly 143 million records breached last year compared to 285 million the year before.

One year's data does not make a trend change. And I've seen years past when data breaches and reported successful attacks took short term reprieves only to spike viciously upward again. And, perhaps it was the arrest of Alberto Gonzales (TJX and Heartland Payment Systems), coupled with supply of breached records far outstripping their demand that contributed to the year over year drop. The price for breached record ranged from $9 to $14 a few years ago to 20 cents or less today.

But it is good news nonetheless. However short-lived I expect it to be.

If criminals are not trying to grab as many financial and credit card data as years past because the market is literally flooded, what might many be targeting now? Well, in a market driven economy, even an underground economy, suppliers will shift to where demand is highest and availability is scarce. That could include medical records, as well as attacks on Fortune 500-sized companies for proprietary information to steal to direct competitors and producers of counterfeit goods.

That's why in the next few years I expect to see more data stolen that could be used for medical identity theft, as well as more attacks similar to those that surfaced early this year that targeted Google and other major software makers.

Another interesting takeaway from the report, within the hacking section, page 27, (Full report is available for download here.) is how wildly successful the use of stolen login credentials is. While constituting 38 percent of incidents in the report, 86 percent of all breached records were stolen this way. The two other most common attack methods where the exploitation of backdoor and/command and control channels established (such as with botnets).

The troubling thought with so many stolen credentials in play is how that suggests insiders are obtaining and selling logon information. That could be a challenging problem for businesses to solve as it may require the deployment of a another factor of authentication, such as smart card or biometric in addition to the username and password combination. Perhaps changing passwords more often could help.

However, the other two can be more readily managed. There's virtually no excuse for SQL Injection vulnerabilities to be present in modern day systems. None. It's a decade old problem, and developers know how to avoid them. Businesses just need to do a better job with the QA in their development process. And spotting botnet C&C traffic on your network can be done through standard monitoring.

But that's often the case with information security challenges, isn't it: businesses know what they should be doing to avoid trouble and just don't bother to do it until after there's been a nasty incident.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.