Risk
7/28/2010
05:45 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Verizon Data Breach Report: Some Big Surprises

One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.

One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.For an overview of the report headlines, take a look at Thomas Claburn's story from this morning, Stolen Records, Data Prices Decline. Essentially, the market for stolen records has collapsed under its own weight: with roughly 143 million records breached last year compared to 285 million the year before.

One year's data does not make a trend change. And I've seen years past when data breaches and reported successful attacks took short term reprieves only to spike viciously upward again. And, perhaps it was the arrest of Alberto Gonzales (TJX and Heartland Payment Systems), coupled with supply of breached records far outstripping their demand that contributed to the year over year drop. The price for breached record ranged from $9 to $14 a few years ago to 20 cents or less today.

But it is good news nonetheless. However short-lived I expect it to be.

If criminals are not trying to grab as many financial and credit card data as years past because the market is literally flooded, what might many be targeting now? Well, in a market driven economy, even an underground economy, suppliers will shift to where demand is highest and availability is scarce. That could include medical records, as well as attacks on Fortune 500-sized companies for proprietary information to steal to direct competitors and producers of counterfeit goods.

That's why in the next few years I expect to see more data stolen that could be used for medical identity theft, as well as more attacks similar to those that surfaced early this year that targeted Google and other major software makers.

Another interesting takeaway from the report, within the hacking section, page 27, (Full report is available for download here.) is how wildly successful the use of stolen login credentials is. While constituting 38 percent of incidents in the report, 86 percent of all breached records were stolen this way. The two other most common attack methods where the exploitation of backdoor and/command and control channels established (such as with botnets).

The troubling thought with so many stolen credentials in play is how that suggests insiders are obtaining and selling logon information. That could be a challenging problem for businesses to solve as it may require the deployment of a another factor of authentication, such as smart card or biometric in addition to the username and password combination. Perhaps changing passwords more often could help.

However, the other two can be more readily managed. There's virtually no excuse for SQL Injection vulnerabilities to be present in modern day systems. None. It's a decade old problem, and developers know how to avoid them. Businesses just need to do a better job with the QA in their development process. And spotting botnet C&C traffic on your network can be done through standard monitoring.

But that's often the case with information security challenges, isn't it: businesses know what they should be doing to avoid trouble and just don't bother to do it until after there's been a nasty incident.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?