Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

When Hackers Want Much More Than Money

Insider attack data breaches are down in 2011, but hacktivist attacks, with motives beyond money, are up, reports Verizon 2012 Data Breach Investigations Report.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
Call 2011 the year that hacktivism became the leading cause of data breaches.

Notably, 58% of all data stolen in 2011 didn't go missing for monetary-gain purposes, as has traditionally been the case. Instead, it was obtained and leaked by hacktivist groups such as Anonymous and LulzSec.

That's according to the 2012 Data Breach Investigations Report from Verizon, released Thursday. As in previous years, both the U.S. Secret Service and the Dutch National High Tech Crime Unit contributed data to the report. For the first time, however, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit of the London Metropolitan Police also contributed data from their investigations. All told, the report analyzed data from 855 incidents, involving 174 million compromised records.

[ Businesses are becoming more efficient in breach responses. See Data Breach Costs Drop. ]

Overall, the Verizon report found that 98% of attacks were caused by outsiders, although sometimes in collusion with insiders, who were involved in 4% of attacks, and business partners, who were involved in fewer than 1% of attacks.

Interestingly, about five years ago, previous Verizon data breach studies were reporting that about an equal number of attacks could be traced to insiders as well as outsiders. Since then, however, the number of losses traced to cyber criminals has increased, and in 2011, hacktivism came onto the scene in force. "We're all seeing in the media the Occupy movement, Anonymous. There's a big mentality shift where it used to be all about the money, and now we're seeing a big shift where it's not all about the money," said Novak. "We're seeing a lot of these hacktivist groups that are doing it purely for political or social reasons."

Whether or not Anonymous and its ilk hold up a mirror to the poor state of IT security, as some industry watchers have said, such groups often face few obstacles. Notably, 96% of the attacks detailed in the Verizon report weren't highly difficult, and 97% could have been easily avoided without needing to resort to difficult or expensive countermeasures. Furthermore, 79% of breached businesses were simply targets of opportunity.

Novak cautioned, however, that insider attacks are still a significant problem, and quantity-wise may not have changed significantly. But with the overall number of attacks and breached records reported to Verizon having increased dramatically, that's skewed the percentages away from insider attacks.

As in previous years, the Verizon report found that cybercrime attacks are global in nature. Indeed, attacks launched in 2011 that resulted in breaches originated in at least 36 countries, versus just 22 countries in 2010. In 2011, the vast majority (70%) of attacks came from Eastern Europe, while just one-quarter were launched from the United States.

Attackers often favor a one-two punch. For starters, 81% of attacks and 99% of all compromised data involved hacking. But malware was also used in 69% of all attacks, and involved in 95% of compromised records.

Interestingly, this malware is rarely encountered by accident. "A lot of what we're seeing is hackers getting in through some other means, then planting this malware," said Novak. "So it's no surprise that the malware is so good at getting this data out." In terms of the "getting in" part, meanwhile, he said that exploiting weak credentials--including poor passwords--was the leading technique used by attackers, especially for smaller businesses. For larger businesses, meanwhile, attackers often installed keystroke loggers and password stealers, to make an end run around the network security defenses.

Another interesting finding is that attacks with a physical component that resulted in data breaches appeared to decline between 2010, when they'd spiked, and 2011, when fewer than 1% of compromised records, and just 10% of attacks, involved a physical component. What's behind the apparent decrease? First, Verizon said that card-skimming attacks certainly haven't gone away, and also that it's oftentimes difficult to quantify the number of records that went missing as a result.

But Novak said the decline also seems to be due to law enforcement agencies catching more card-skimming gangs. In fact, given the traditional emphasis placed on physical--more than cyber--investigations, he said the expectation was that law enforcement agencies would simply be catching more people behind physical crimes that led to data breaches. But in fact, it appears that these physical crimes are declining. "The fact that we're seeing physical go down, despite the fact that we have more law enforcement agencies reporting in, is one way we determined [that it's declining]," he said.

Cybercriminals shouldn't breathe easy, however, since almost every type of law enforcement agency is adding cybercrime investigation capabilities. "Most law enforcement agencies are tooling up at an amazing rate," said Novak. "Most law enforcement agencies are finding that there's a cyber piece to almost every case now. For example, people who investigate homicides, traditionally they never spoke with the cyber folks. But now they find that a cellphone in their case must be analyzed, a laptop must be analyzed."

Most external hacks of databases occur because of flaws in Web applications that link to those databases. In this report, Protecting Databases From Web Applications, we'll discuss how security teams, database administrators, and application developers can work together to improve the defenses of both front-end Web applications and back-end databases to prevent these attacks from succeeding. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/24/2012 | 5:32:49 PM
re: When Hackers Want Much More Than Money
Basically, what the Verizon report is saying is that the vast majority of these breaches can be prevented by simple, basic IT security protocol implementations? Sounds to me like the market is really good for IT security professionals right about now.

It's also amazing to me that law enforcement is "tooling up at an amazing rate" - technology (Internet, cell phones, computers) have been part of daily life for how many people for how long?

Andrew Hornback
InformationWeek Contributor
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.