Risk
7/28/2010
05:45 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Verizon Data Breach Report: Some Big Surprises

One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.

One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.For an overview of the report headlines, take a look at Thomas Claburn's story from this morning, Stolen Records, Data Prices Decline. Essentially, the market for stolen records has collapsed under its own weight: with roughly 143 million records breached last year compared to 285 million the year before.

One year's data does not make a trend change. And I've seen years past when data breaches and reported successful attacks took short term reprieves only to spike viciously upward again. And, perhaps it was the arrest of Alberto Gonzales (TJX and Heartland Payment Systems), coupled with supply of breached records far outstripping their demand that contributed to the year over year drop. The price for breached record ranged from $9 to $14 a few years ago to 20 cents or less today.

But it is good news nonetheless. However short-lived I expect it to be.

If criminals are not trying to grab as many financial and credit card data as years past because the market is literally flooded, what might many be targeting now? Well, in a market driven economy, even an underground economy, suppliers will shift to where demand is highest and availability is scarce. That could include medical records, as well as attacks on Fortune 500-sized companies for proprietary information to steal to direct competitors and producers of counterfeit goods.

That's why in the next few years I expect to see more data stolen that could be used for medical identity theft, as well as more attacks similar to those that surfaced early this year that targeted Google and other major software makers.

Another interesting takeaway from the report, within the hacking section, page 27, (Full report is available for download here.) is how wildly successful the use of stolen login credentials is. While constituting 38 percent of incidents in the report, 86 percent of all breached records were stolen this way. The two other most common attack methods where the exploitation of backdoor and/command and control channels established (such as with botnets).

The troubling thought with so many stolen credentials in play is how that suggests insiders are obtaining and selling logon information. That could be a challenging problem for businesses to solve as it may require the deployment of a another factor of authentication, such as smart card or biometric in addition to the username and password combination. Perhaps changing passwords more often could help.

However, the other two can be more readily managed. There's virtually no excuse for SQL Injection vulnerabilities to be present in modern day systems. None. It's a decade old problem, and developers know how to avoid them. Businesses just need to do a better job with the QA in their development process. And spotting botnet C&C traffic on your network can be done through standard monitoring.

But that's often the case with information security challenges, isn't it: businesses know what they should be doing to avoid trouble and just don't bother to do it until after there's been a nasty incident.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1414
Published: 2015-02-27
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.

CVE-2015-2072
Published: 2015-02-27
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or...

CVE-2015-2075
Published: 2015-02-27
SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.

CVE-2015-2076
Published: 2015-02-27
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.

CVE-2015-2101
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.