Risk
7/28/2010
05:45 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Verizon Data Breach Report: Some Big Surprises

One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.

One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.For an overview of the report headlines, take a look at Thomas Claburn's story from this morning, Stolen Records, Data Prices Decline. Essentially, the market for stolen records has collapsed under its own weight: with roughly 143 million records breached last year compared to 285 million the year before.

One year's data does not make a trend change. And I've seen years past when data breaches and reported successful attacks took short term reprieves only to spike viciously upward again. And, perhaps it was the arrest of Alberto Gonzales (TJX and Heartland Payment Systems), coupled with supply of breached records far outstripping their demand that contributed to the year over year drop. The price for breached record ranged from $9 to $14 a few years ago to 20 cents or less today.

But it is good news nonetheless. However short-lived I expect it to be.

If criminals are not trying to grab as many financial and credit card data as years past because the market is literally flooded, what might many be targeting now? Well, in a market driven economy, even an underground economy, suppliers will shift to where demand is highest and availability is scarce. That could include medical records, as well as attacks on Fortune 500-sized companies for proprietary information to steal to direct competitors and producers of counterfeit goods.

That's why in the next few years I expect to see more data stolen that could be used for medical identity theft, as well as more attacks similar to those that surfaced early this year that targeted Google and other major software makers.

Another interesting takeaway from the report, within the hacking section, page 27, (Full report is available for download here.) is how wildly successful the use of stolen login credentials is. While constituting 38 percent of incidents in the report, 86 percent of all breached records were stolen this way. The two other most common attack methods where the exploitation of backdoor and/command and control channels established (such as with botnets).

The troubling thought with so many stolen credentials in play is how that suggests insiders are obtaining and selling logon information. That could be a challenging problem for businesses to solve as it may require the deployment of a another factor of authentication, such as smart card or biometric in addition to the username and password combination. Perhaps changing passwords more often could help.

However, the other two can be more readily managed. There's virtually no excuse for SQL Injection vulnerabilities to be present in modern day systems. None. It's a decade old problem, and developers know how to avoid them. Businesses just need to do a better job with the QA in their development process. And spotting botnet C&C traffic on your network can be done through standard monitoring.

But that's often the case with information security challenges, isn't it: businesses know what they should be doing to avoid trouble and just don't bother to do it until after there's been a nasty incident.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio