A few weeks back there was a great document released by Verizon (yep, the big American telco) titled Verizon 2012 Data Breach Investigations Report. This weekend at the OWASP Appsec Asia Pacifica Conference, I sat in on a talk from Mark Goudie from Verizon
who helped put the whole report in perspective. Now this is a really
interesting report because rather than talking about vulnerabilities
(i.e. potential risks), they’re actually looking at exploits; this is hard facts, people!
This
report is based on 855 incidents in 2011 (don’t be confused by the year
in the title!) and because Verizon does this each year, there’s lots of
data on how trends are changing. It’s also 80 pages of hard facts which
can be rather a lot to digest. But there are some really interesting nuggets in there for those who take a bit of an interest in security. Let me cherry-pick a few of the good ones.
1. Breaches are (almost) no longer coming from inside the organisatio
2. Hacktivists are becoming seriously bad news
3. The majority of breaches are related to simple credential theft
4. You’re way more likely to be socially engineered by talking to someone than via email
5. Breaches take only minutes yet are discovered after months – and then they take a long time to fix
1. Breaches are (almost) no longer coming from inside the organisation
It wasn’t that long ago that the common belief (and there were plenty of numbers backing this up), was that a significant portion of breaches stemmed from inside the organisation. Disgruntled employees, opportunistic mutineers, those off to greener pastures grabbing a handful of data on their way out – whatever – but it’s now a very different story:| Who is behind data breaches? | |
| 98% stemmed from external agents (+6%) | No
big surprise here; outsiders are still dominating the scene of
corporate data theft. Organized criminals were up to their typical
misdeeds and were behind the majority of breaches in 2011. Activist
groups created their fair share of misery and mayhem last year as
well—and they stole more data than any other group. Their entrance onto
the stage also served to change the landscape somewhat with regard to
the motivations behind breaches. While good old-fashioned greed and
avarice were still the prime movers, ideological dissent and
schadenfreude took a more prominent role across the caseload. As one
might expect with such a rise in external attackers, the proportion of
insider incidents declined yet again this year to a comparatively scant
4%. |
| 4% implicated internal employees (-13%) | |
| <1% committed by business partners (<>) | |
| 58% of all data theft tied to activist groups |
Threat agents over time by percent of breaches:
Oh – and in case you’re wondering why 98% plus 4% plus under 1% adds up to more than 100%, some breaches span both external and internal players. For example, someone external socially engineers someone internal into divulging their credentials. Makes sense now!
2. Hacktivists are becoming seriously bad news
This shouldn’t come as a surprise, but the number above is still alarming; 58% of data theft was tied to individuals purporting to carry out their illegal activities on the basis of some form of activist belief. Frankly, when you look at the demographic of those being caught in the act (frequently teenagers or early 20’s), I suspect that whilst these individuals are readily attaching themselves to hacktivist groups such as Anonymous and LulzSec, it’s more about gaining a bit of notoriety and having some lulz than it is about fighting for a cause.From the report:
The most significant change we saw in 2011 was the rise of “hacktivism” against larger organizations worldwide.Regardless of the motivations of hacktivists, the fact remains that there is a groundswell of individuals out there queuing up to take a shot at just about any website they can get their hands on. They don’t need the financial incentive of true cybercriminals or the political and military goals of nation states, they just need an easy target. Frankly, for website owners, this indiscriminate targeting should be rather worrisome.
More...
Fuente: www.troyhunt.com
No hay comentarios:
Publicar un comentario