Verizon Data Breach Report: Bad Guys Target Low-Hanging Fruit

Cybercriminals are making a leap from the big score to easy money, according to Verizon Business' annual report on data breaches, which was published earlier today.

According to Verizon's much-awaited 2011 Data Breach Investigations Report, the number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008.

But this year’s report covers approximately 760 data breaches, the largest caseload to date, according to the researchers. So while the number of breaches continues to go up, the number of records affected is going down.

"The seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals," the report says. "They are engaging in small, opportunistic attacks, rather than large-scale, difficult attacks, and are using relatively unsophisticated methods to successfully penetrate organizations."

"I think what we're seeing is that there's a big change in the type of data that criminals are going after," says Dave Ostertag, global investigations manager at Verizon Business. "There's a glut of personal data out there now, and there really isn't a great market for it. The value of intellectual property, on the other hand, is much higher -- criminals are finding that they can make as much money from stealing a smaller number of highly sensitive records as they can from stealing a big database of customer information."

The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks, Verizon says. The total number of insider attacks actually remained relatively constant.

Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of those attacks involving weak or stolen credentials and passwords, the report says. For the first time, physical attacks -- such as compromising ATMs -- appeared as one of the three most common ways to steal information, and constituted 29 percent of all cases investigated.

Large-scale breaches dropped dramatically last year, while attacks involving smaller numbers of records increased, Verizon says. "Small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets," the report states.

"The guys responsible for a big breach are more likely to get caught than somebody who does a lot of little breaches," Ostertag says. "The criminals are learning that they don't need to do a large intrusion to make a steady business. They just follow supply and demand."

Greater reliance on automated attacks means that there are more attempted intrusions than ever, but the level of sophistication has dropped, says Steve Dauber, vice president of marketing at RedSeal Systems, a maker of tools for measuring enterprise security risk and posture.

"If you look at the [Verizon report], you see that most attacks were not targeted at a specific company, but were designed to find the enterprises that were most vulnerable," Dauber says. "Ninety-seven percent of the breaches could have been avoided by using simple controls.

"What this says to me is that we're seeing more and more automated attacks, but most enterprises are responding with human defenses that can't keep up," Dauber says. "With so many automated attacks, companies are going to have to start looking harder at more automated defenses." Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data, according to the report. The most common kinds of malware found were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.

Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security, according to Verizon. "Failure to change default credentials remains an issue, particularly in the financial services, retail, and hospitality industries," the report states.

Ostertag offered some advice for enterprises that want to avoid the types of breaches that Verizon sees.

"Protect your data -- only store data as long as you need it," he advises. "Enable your logs and look at them -- in 46 percent of our cases, the breach is discovered not by the victim, but by a third party. If you're not sure what to look for, ask your security companies about it."

Enterprises should also work hard to enforce the policies they already have in place, Ostertag advises. Companies should be aware of what their employees are using at home, and how personal systems are interacting with corporate systems.

"There's a very high correlation between employees who frequently violate security policy and actual breaches and compromises," Ostertag says. "Make sure your employees are following the protocol, and that they are only getting access to the resources they need to do their jobs."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.