lunes, 16 de abril de 2012

5 interesting security trends from Verizon’s 2012 data breach report

A few weeks back there was a great document released by Verizon (yep, the big American telco) titled Verizon 2012 Data Breach Investigations Report. This weekend at the OWASP Appsec Asia Pacifica Conference, I sat in on a talk from Mark Goudie from Verizon who helped put the whole report in perspective. Now this is a really interesting report because rather than talking about vulnerabilities (i.e. potential risks), they’re actually looking at exploits; this is hard facts, people!

This report is based on 855 incidents in 2011 (don’t be confused by the year in the title!) and because Verizon does this each year, there’s lots of data on how trends are changing. It’s also 80 pages of hard facts which can be rather a lot to digest. But there are some really interesting nuggets in there for those who take a bit of an interest in security. Let me cherry-pick a few of the good ones.

1. Breaches are (almost) no longer coming from inside the organisatio
2. Hacktivists are becoming seriously bad news
3. The majority of breaches are related to simple credential theft
4. You’re way more likely to be socially engineered by talking to someone than via email
5. Breaches take only minutes yet are discovered after months – and then they take a long time to fix

1. Breaches are (almost) no longer coming from inside the organisation

It wasn’t that long ago that the common belief (and there were plenty of numbers backing this up), was that a significant portion of breaches stemmed from inside the organisation. Disgruntled employees, opportunistic mutineers, those off to greener pastures grabbing a handful of data on their way out – whatever – but it’s now a very different story:
Who is behind data breaches?  
98% stemmed from external agents (+6%) No big surprise here; outsiders are still dominating the scene of corporate data theft. Organized criminals were up to their typical misdeeds and were behind the majority of breaches in 2011. Activist groups created their fair share of misery and mayhem last year as well—and they stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role across the caseload. As one might expect with such a rise in external attackers, the proportion of insider incidents declined yet again this year to a comparatively scant 4%.
4% implicated internal employees (-13%)
<1% committed by business partners (<>)
58% of all data theft tied to activist groups
Going back to that earlier comment about attacks previously often coming from inside, take a look at how the data has changed over time:
Threat agents over time by percent of breaches:
Threat agents over time by percent of breaches
Or to put it another way, breaches originating internally are now only 12% of what they were a few years ago and breaches from partners are near non-existent. The bad guys are now well and truly outside the organisation – but they’re still getting in.
Oh – and in case you’re wondering why 98% plus 4% plus under 1% adds up to more than 100%, some breaches span both external and internal players. For example, someone external socially engineers someone internal into divulging their credentials. Makes sense now!


2. Hacktivists are becoming seriously bad news

This shouldn’t come as a surprise, but the number above is still alarming; 58% of data theft was tied to individuals purporting to carry out their illegal activities on the basis of some form of activist belief. Frankly, when you look at the demographic of those being caught in the act (frequently teenagers or early 20’s), I suspect that whilst these individuals are readily attaching themselves to hacktivist groups such as Anonymous and LulzSec, it’s more about gaining a bit of notoriety and having some lulz than it is about fighting for a cause.
From the report:
The most significant change we saw in 2011 was the rise of “hacktivism” against larger organizations worldwide.
Regardless of the motivations of hacktivists, the fact remains that there is a groundswell of individuals out there queuing up to take a shot at just about any website they can get their hands on. They don’t need the financial incentive of true cybercriminals or the political and military goals of nation states, they just need an easy target. Frankly, for website owners, this indiscriminate targeting should be rather worrisome.





No hay comentarios: