Verizon's first report of 2009 is the 4th such report published publicly by Verizon (they have performed 28 such analyses to-date, but only recently decided to go public with them). Verizon's goal is to release these reports on a roughly quarterly basis going forward.
The report largely focuses on breaches occurring in the 2008 calendar year, but does reference data gathered from prior years. The 2008 year saw an unprecidented number of records compromised. Verizon alone responded to breaches representing 285 million records, more than all prior years (2004-2007) combined, and those are the focus of this report.
The Actors
I think we can finally put to rest the “80% insider” myth that has been erroneously thrown about for the last decade or longer. Verizon's investigations, in fact, showed that nearly 80% of the intrusions were from external sources. Only 11% of the intrusions were the result of an insider acting alone (an additional 9% of cases involved insiders duped by an external actor into aiding an attack).
A more concerning statistic is the number of breaches that come from partner networks. While the number dropped somewhat in 2008, more than a third of all breaches were traced by to trusted supplier connections.
Of the 90 breaches analyzed by this report, 22 of them were conducted from Eastern Europe (an increase of 9% over 2007), followed closely by East Asia with 18 incidents (up 15%). North America was the 3rd-most common source, at 15 incidents. It is clear that organized crime is continually frequent driver for these kinds of breaches, particularly in the Eastern Europe region, and Verizon, in concert with appropriate law enforcement organizations, was able to verify organized crime links in 19 of the 90 cases, and arrests were made in at least 15 of those, to date.
In the cases involving partners, it was nearly always a case where the partner network had been compromised by an external actor who was then able to leverage a trusted connection to extend their attack to the ultimate victim network. Verizon makes the point, accurately, that organizations continue to struggle with the management of partner connections, and are often ill equipped to monitor or audit the security posture of those trusted networks. This is a huge opportunity for improvement in most organizations. Partner connections should be scrutinized heavily, and reconfigured for least privilege and least access.
It's interesting to note, before we leave the subject of 3rd party culpability, that in none of the cases were the systems actually hosted at the partner's site. It was largely the case where administrative work had been outsourced, particularly in the food-and-beverage and retail segments, where outsourcing of POS system management is common.
The Victims
I was initially skeptical that the dataset analyzed in the report would skew heavily towards the large corporations. I mean, who calls a major telco for help with a security incident but the deep pocketed corporations? Well, turns out, everyone seems to. Verizon was called in to investigate breaches at companies as small as 1-10 employees, and as large as 100,000+. In fact, full 50% of the breaches addressed in this report occurred in companies with 1000 or fewer employees, with fully 1/3 coming from companies with fewer than 100 employees.
There is one area where the data is heavily skewed though, and that is the industries represented by the victim companies. 93% of the records compromised occurred at companies in the financial services space. Which really isn't much of a surprise, given that's where the bulk of valuable credit card data is being managed.
This does not mean that the financial services industry was the most frequently attacked, however. In fact, the retail industry was attacked slightly more frequently. But the financial sector seemed to attract the most determined, motivated, and skilled attackers, and gave up the vast majority of compromised records as a result.
The Attacks
Let's talk about the nature of the attacks for a minute. In terms of percent of records exposed, 94% of those involved hacking, closely followed by malware at 90%. These two methods were by far the most popular, with deceit coming in a distant 3rd with 6%, and Misuse and Physical attacks bringing up the rear at 2% each.
However, there is a mitigating element here that is important to consider. Error (misconfiguration, etc) is a contributing factor in 67% of the cases.
Given this, you can see the traditional attack methodology that we're all too familiar with: Vulnerability identified and exploited by hacker, malware placed in victim network to enable further attacks.
A particularly worrisome methodology that Verizon has been tracking is the harvesting of data in the server's RAM. Most application vendors do not encrypt data residing in RAM, even if they do encrypt data on the disk storage subsystem. This is proving a rich source of unencrypted data, and hackers are starting to go after it.
There is another important factor to highlight here, while we're discussing the attacks themselves. 85% of the records breached were harvested using malware customized for the target. As a result, most malware used for these attacks is not detectable by modern antivirus systems.
I'll cover the contents of the 2nd half of the report in a followup post.