Breaches Down, Insider Attacks Up, Verizon Business/Secret Service Study Says
PCI compliance, saturation of black market may have driven decline, investigators say
The number of records compromised in major data breaches dropped sharply last year, according to a new study being issued today. But the causes of those breaches changed dramatically, shifting strongly toward insider attacks.
Those are just two of the conclusions revealed in the 2010 Verizon Data Breach Investigations Report (PDF), a study that has been conducted annually by the forensics unit of Verizon Business, and this year combines Verizon's data with breach data compiled by the U.S. Secret Service.
More Security Insights
- Integration with Oracle Fusion Financials Cloud Service
- Cloud for Business Managers in Midsize Organisations: the Good, the Bad & the Ugly
- Client Windows Migration: Expert Tips for Application Readiness
- Deeper Network Security: Protection Tips Revealed
One of the most striking figures in the new study is that even after combining its own numbers with those of the Secret Service, Verizon recognized a drop in the number of records breached last year. After seeing more than 285 million records compromised in 2008 -- 361 million records when combined with the Secret Service data -- the combined entities saw breaches of only 143 million records in 2009.
"There's some speculation that PCI compliance may be a factor in the drop," says Bryan Sartin, director of investigative response at Verizon Business, "but there are a lot of factors to weigh here. Realistically, we won't be able to say for sure what caused the drop-off until we've got a couple of years of data to look at."
The investigators did notice a marked drop-off in breaches following the indictment of Albert Gonzalez -- the cybercriminal credited with leading the hacks of TJX, Heartland Payment Systems, and others -- in 2009, Sartin says. "For 30 to 45 days, the rate of new crimes slowed down," he reports. "The number of incidents in Japan, which has historically been very quiet, rose to almost the same level as the U.S. There was a lot of shifting during that time period."
The drop-off in records affected might also be a reflection of a shift in targets -- cybercriminals are becoming more interested in passwords and privileges than in pure credit card data, Sartin observes. "Some of it is sheer economics," he says. "The black market [for credit card data] is only so big. In the last year, we saw a drop in the market price from $9 to $16 per record to as low as 10 or 20 cents per record. It's just not as profitable a business."
While the volume of breaches shifted dramatically between Verizon's 2009 report and the 2010 report, so did the source of the attacks, Sartin notes. While external forces still reign supreme -- 70 percent of all breaches resulted from external agents -- the percentage of cases that involved insiders rose to 48 percent, an increase of 26 percent over the previous year. Some of the shift was caused by the integration of data from the Secret Service, which sees more insider cases than Verizon, but that was not the only factor in the shift, Sartin says.
"We're seeing a lot more attacks that are done through employees, like systems administrators and network administrators," Sartin reports. "People are angry. They hate their boss, they hate their jobs. The outsiders recruit them, and then use their privileged passwords to do their work."
Interestingly, he says, the insider with the credentials is usually the one who gets arrested, and they often can't identify the outsider who put them up to the crime. "Often, they never get paid for the information they give out," Sartin says.
Surprisingly, although 40 percent of the cases involved some form of hacking (down 24 percent from a year ago), most of the breaches investigated by Verizon and the Secret Service did not involve the exploitation of patchable vulnerabilities in enterprise applications. "We saw almost none of that," he said. "Most of what we saw was simple exploitation of guessable passwords. These weren't very sophisticated hacks at all."
As with past Verizon Data Breach Investigation Reports, the researchers found that most companies still are doing a poor job of detecting breaches to their own systems. In the majority of cases, the breach was discovered by some external entity -- such as a business partner or auditor -- and in most cases, the breach had been in place for some length of time.
"Everyone is still failing abysmally to shorten the lag time between breach and awareness of the breach," Sartin says. "Sometimes people don't find out for months that they've been breached. Sometimes they don't act quickly when they find out."
Interestingly, Verizon finds that in about 86 percent of cases, no sophisticated forensics tools are required to locate the source of a breach. The breaches show up clearly in the system and security logs of the victim. "The breach was there, but nobody saw it because nobody was looking at the logs," he says. "It was right there in front of them."
Many enterprise IT staffs resist log analysis because there are so many logs in the average organization, and because there is a large volume of data residing in each log, Sartin observes. "They say it's like finding a needle in a haystack," he says.
But in many cases, the evidence of SQL injection or other external tampering stands out from the rest of the log data like a sore thumb, Sartin says. "In most cases, it's not an issue of trying to find a needle," he says. "If you just looked at the haystacks, you'd see it."
While the industry continues to decry the increasing sophistication of hackers, most of the actual exploits used to attack companies are fairly simple, Sartin says. "Some 87 percent of the breaches we see are easily preventable with the use of simple tools, like vulnerability scanners, and simple processes for using them," he says. "If you just do the basics right, you'd be surprised at how often a hacker will pass you by, because there are so many easier targets out there that don't."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.