Verizon report finds not enough attention paid to security practices, analysis and the 'human factor.'
EDITOR'S NOTE: This is part one of a two-part story on data security breaches.
Most breaches last year — and 98 percent of data stolen — were the work of criminals outside the victim organization, with organized crime responsible for 85 percent of all stolen data last year. But social engineering also played a greater role than last year: Insiders played a role in nearly half of all breaches, up by a quarter since 2008.
Those findings, from Verizon’s Data Breach Investigations Report for 2010, are based on the telco’s own data and, new this year, that of the U.S. Secret Service. The two datasets showed some differences — Verizon showed more breaches by outsiders, while the Secret Service pegged insiders as the greater threat — “but didn’t shake our world view,” Verizon said.
Neither do the findings differ substantially from those of the 2009 report, said the lead author of the report, Wade Baker, Verizon Business' director of risk intelligence.
Organizations continued to fail to change default passwords on network devices or analyze network monitoring data; and Web-surfing, Internet-searching users remained all-too-naively eager to click on hyperlinks.
There have been small changes that raise hopes for the good guys. For example, Baker said, “Third-party fraud detection is still the most common way breach victims come to know of their predicament,” but the numbers are down slightly. The report attributes the 9 percent drop to 60 percent to “internal active measures — those actually designed and deployed to detect incidents.”
But for the most part, Baker said, “as it was for last year, organizations collect the data but don’t analyze the data; they don’t use it. That’s really not improving.”
That’s also what Enterprise Management Associates found in its survey, said EMA managing research director Scott Crawford. The IT consulting firm and research group asked organizations from different sectors about their security practices and the outcomes of IT security breach events.
“About one quarter of the group we surveyed was fairly thorough and comprehensive about the full ‘plan, do, check, act’ philosophy,” he said. “They defined the problem, implemented the solution, monitored the environment and responded when new issues warranted.”
The other 75 percent “fell down at one or more of these milestones in some meaningful way," he added. "If they monitored, they may not have responded effectively. They may have had policy that defined their approach, but they didn’t enforce the policy.”
And even minor network policy violations can be significant. Verizon found a correlation between minor policy violations and more serious abuse. “Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach,” the report said.
In one recent Verizon case, a fired systems administrator stole sensitive data from his former employer as well as personal data from its customers, and tried to blackmail his former employer with it. “What makes it worse,” the Verizon data breach team said, is that he had a history of IT policy violations and inappropriate behavior.
Preventing 96 percent of data breaches would require no great difficulty, the report said. “Last year, leaving default passwords in place was the No. 1" network security policy violation, Baker said. “This year it’s not No. 1, but it’s still among the top 10.”
In the Verizon case above, the aspiring blackmailer was able to capture the sensitive data because, although his administrative account password had been changed, the change was minuscule and predictable: from Password1 to Password2.
Another practice that continues to be problematic is collecting the data but failing to analyze it. “In 86 percent of incidents we investigated, the victims had evidence of the attack in their log files,” Baker said. “Our investigators show up to work the case and find the evidence in the log files, which have been sitting there for six months.”
However, log analysis or log review typically finds about 1 percent of breaches, Baker said. “We really need a better way to use our log files.”
Or conceivably, better log reports. IT security guru Anton Chuvakin is creating a new “Top 7 Essential Log Reports” for SANS Security Institute. Among his proposed candidates: network activity reports, called suspicious or unauthorized network traffic patterns in the current SANS list; and authentication and authorization, which includes login failures and successes, logins after office hours and attempts to gain unauthorized access through existing accounts.
Anti-forensics use such as data wiping, hiding and corruption is about the same as last year; Verizon found evidence of anti-forensics in about a third of cases. The estimate is probably low, the report said, because “the very nature of these techniques centers on not leaving signs of their use.”
NEXT: Malware use is on the rise. It was a factor in 94 percent of all data lost, according to the Verizon report. Criminals leverage not just new code but also the World Cup and Chelsea Clinton’s wedding to get at your data.
NEXT STORY: Insourcing failed, DOD's Gates says. Now what?