Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Breaches Down, Insider Attacks Up, Verizon Business/Secret Service Study Says

PCI compliance, saturation of black market may have driven decline, investigators say

The number of records compromised in major data breaches dropped sharply last year, according to a new study being issued today. But the causes of those breaches changed dramatically, shifting strongly toward insider attacks.

Those are just two of the conclusions revealed in the 2010 Verizon Data Breach Investigations Report (PDF), a study that has been conducted annually by the forensics unit of Verizon Business, and this year combines Verizon's data with breach data compiled by the U.S. Secret Service.

One of the most striking figures in the new study is that even after combining its own numbers with those of the Secret Service, Verizon recognized a drop in the number of records breached last year. After seeing more than 285 million records compromised in 2008 -- 361 million records when combined with the Secret Service data -- the combined entities saw breaches of only 143 million records in 2009.

"There's some speculation that PCI compliance may be a factor in the drop," says Bryan Sartin, director of investigative response at Verizon Business, "but there are a lot of factors to weigh here. Realistically, we won't be able to say for sure what caused the drop-off until we've got a couple of years of data to look at."

The investigators did notice a marked drop-off in breaches following the indictment of Albert Gonzalez -- the cybercriminal credited with leading the hacks of TJX, Heartland Payment Systems, and others -- in 2009, Sartin says. "For 30 to 45 days, the rate of new crimes slowed down," he reports. "The number of incidents in Japan, which has historically been very quiet, rose to almost the same level as the U.S. There was a lot of shifting during that time period."

The drop-off in records affected might also be a reflection of a shift in targets -- cybercriminals are becoming more interested in passwords and privileges than in pure credit card data, Sartin observes. "Some of it is sheer economics," he says. "The black market [for credit card data] is only so big. In the last year, we saw a drop in the market price from $9 to $16 per record to as low as 10 or 20 cents per record. It's just not as profitable a business."

While the volume of breaches shifted dramatically between Verizon's 2009 report and the 2010 report, so did the source of the attacks, Sartin notes. While external forces still reign supreme -- 70 percent of all breaches resulted from external agents -- the percentage of cases that involved insiders rose to 48 percent, an increase of 26 percent over the previous year. Some of the shift was caused by the integration of data from the Secret Service, which sees more insider cases than Verizon, but that was not the only factor in the shift, Sartin says.

"We're seeing a lot more attacks that are done through employees, like systems administrators and network administrators," Sartin reports. "People are angry. They hate their boss, they hate their jobs. The outsiders recruit them, and then use their privileged passwords to do their work."

Interestingly, he says, the insider with the credentials is usually the one who gets arrested, and they often can't identify the outsider who put them up to the crime. "Often, they never get paid for the information they give out," Sartin says.

Surprisingly, although 40 percent of the cases involved some form of hacking (down 24 percent from a year ago), most of the breaches investigated by Verizon and the Secret Service did not involve the exploitation of patchable vulnerabilities in enterprise applications. "We saw almost none of that," he said. "Most of what we saw was simple exploitation of guessable passwords. These weren't very sophisticated hacks at all."

As with past Verizon Data Breach Investigation Reports, the researchers found that most companies still are doing a poor job of detecting breaches to their own systems. In the majority of cases, the breach was discovered by some external entity -- such as a business partner or auditor -- and in most cases, the breach had been in place for some length of time.

"Everyone is still failing abysmally to shorten the lag time between breach and awareness of the breach," Sartin says. "Sometimes people don't find out for months that they've been breached. Sometimes they don't act quickly when they find out."

Interestingly, Verizon finds that in about 86 percent of cases, no sophisticated forensics tools are required to locate the source of a breach. The breaches show up clearly in the system and security logs of the victim. "The breach was there, but nobody saw it because nobody was looking at the logs," he says. "It was right there in front of them."

Many enterprise IT staffs resist log analysis because there are so many logs in the average organization, and because there is a large volume of data residing in each log, Sartin observes. "They say it's like finding a needle in a haystack," he says.

But in many cases, the evidence of SQL injection or other external tampering stands out from the rest of the log data like a sore thumb, Sartin says. "In most cases, it's not an issue of trying to find a needle," he says. "If you just looked at the haystacks, you'd see it."

While the industry continues to decry the increasing sophistication of hackers, most of the actual exploits used to attack companies are fairly simple, Sartin says. "Some 87 percent of the breaches we see are easily preventable with the use of simple tools, like vulnerability scanners, and simple processes for using them," he says. "If you just do the basics right, you'd be surprised at how often a hacker will pass you by, because there are so many easier targets out there that don't."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.