Last year’s Data Breach Investigations Report clearly showed that data breaches present a significant threat to organizations everywhere. But nothing prepared us for the dramatic rise in the number of compromised records we’re seeing in this year’s report. What’s happening? Where are the threats coming from? More importantly, what can you do to protect your critical information?

These are just some of the issues examined in the 2009 Verizon Business Data Breach Investigations Report (2009 DBIR), an all-new, in-depth report that analyzes data on information security breaches investigated during 2008. The report identifies developing security trends that all businesses and governments should be aware of and helps organizations understand how to best allocate their IT budgets when preparing their defenses.

Interview with Wade Baker and Dave Hylender
Information Network recently interviewed Wade Baker, Manager, Risk Intelligence, and Dave Hylender, Senior Risk Analyst, principal authors of the 2009 DBIR, to get their insights on trends revealed in the new report. “One of the smaller but emerging themes of our 2009 report is that criminal networks have become more sophisticated and they’re making very concerted attacks on organizations handling large volumes of credit card data and personal information,” said Baker. “Keeping up proper security measures in regards to those records is vital.”

What You Don’t Know Can Hurt You: Key Trends From 2008
Based on analysis of data gathered during 2008, Baker and Hylender were able to identify notable trends in security breaches. “Perhaps most alarming is the fact that the magnitude of attacks has jumped significantly. In the cases that we investigated during 2008, 285 million records were compromised. By comparison, over the four-year period analyzed in the first report, a total of 230 million records were compromised,” said Hylender. “285 million is a huge number and is actually far more than what was reported on public databases that track this kind of information,” said Hylender.

Other significant trends include:

• A small number of highly sophisticated attacks accounted for the large majority of records compromised, and these attacks are increasingly being carried out by sophisticated criminal enterprises. “While attacks originate from all over the world, we know that organized crime groups in Eastern Europe have been especially active and are focusing their efforts on stealing credit card and personal identity records,” said Baker.
• Security breaches investigated by Verizon Business increasingly involve targets outside of the United States. Fully one third of the security breaches analyzed in the report fell into this category. As in the U.S., criminal groups appear to be targeting organizations that handle credit card or personal information.
• Large financial institutions, such as payment processors and banks that routinely deal with large amounts of credit card and account records, are being targeted more. “During 2008, these types of financial institutions accounted for the majority of compromised records,” said Hylender. Retailers and other organizations that accept credit card payments yield fewer records but still make attractive targets, as evidenced by the fact that they represent a large proportion of overall attacks.
• New patterns in strategies and tactics are emerging. A steady increase in the number of attacks that take place via third-party vectors indicate that criminals have developed standard methods for exploiting predictable vulnerabilities and are using these tactics repeatedly as they move from one victim to another.

Are You Making a Hacker’s Job Easier?
While the nature and scope of attacks varies widely, the 2009 DBIR yields revealing insights into the strategies and tactics of criminals. During 2008, most attacks were opportunistic; criminals were searching for easily discoverable weaknesses or vulnerabilities. If an organization had sufficiently hardened security, the attackers quickly moved on in search of a softer target.

However, findings in the new report also suggest that the larger the potential data store, the more effort attackers will exert in breaking into a system. During 2008, the five largest cases accounted for 93 percent of all records compromised. These attacks were highly sophisticated in nature and targeted financial institutions with large records stores.

No matter who the attacker or what the target, Verizon Business investigators have identified common elements that characterized most attacks in 2008. “We discovered that there are basically three tactics that hackers use in these big breaches,” said Baker. “They rely on error, hacking, and malcode.”

The error. In the large majority of cases, preventable errors on the part of an organization leave the system vulnerable. These mistakes typically involve network settings, access controls, application configurations, default credentials that haven’t been changed, lack of following established policies, and so on.

The hack. Capitalizing on the vulnerability, criminals hack their way into an organization’s system. “During 2008, our investigators uncovered a large amount of SQL injection attacks, many of which are becoming more sophisticated and are often used to plant malware deep inside systems,” said Baker.

The malcode. Once criminals are into a system, they plant malicious code designed to capture credit card data and other information. In order to avoid detection, criminals are increasingly using anti-forensic measures to disguise their tracks. “Doing so not only allows them to collect large amounts of data over long periods of time,” said Hylender, “but also gives them time to explore the system and compromise other vulnerable areas.”

Awareness of a security breach often comes far too late. As Baker puts it, “It’s taking forever for companies to discover that there’s a breach. Often, a third party such as a credit card issuer discovers the fraud and informs a company that they are the source of the data breach.” By that time, the damage has already been done.

Where Are the Attacks Coming From?
Obviously, one of the main objectives of a forensic investigation is to identify the perpetrators. Understanding who committed the attack, and how they did it, can be vital to containing and remedying a breach. The 2009 DBIR reveals that external sources represent the largest source of breaches, followed by partners and internal sources.

A quick look at each of these groups offers insights into how they work: 

• External sources. External attackers are responsible for the largest share of compromised records. Eastern Europe, East Asia, and North America account for 82 percent of all external breaches—up from 59 percent of breaches between 2004 and 2007. Although stories of state-sponsored attacks abound, the report finds no evidence to support these claims. However, evidence indicates that malicious activity originating from Eastern Europe is tied to organized crime. “We know this because we work with law enforcement and several arrests in those countries were made, and we see the same groups involved in multiple cases in our caseloads,” said Baker.
• Partners. Partners and/or third parties constitute the second largest risk. This threat is particularly insidious as it’s very difficult to know whether a partner’s system has been compromised. “Retailers in particular are still getting exposed by the whole third-party vendor thing. Bad guys often compromise a partner with a trusted connection into the retailer—a point-of-sale server vendor, for example—and then they’re in the door. We saw that a great deal this year,” said Hylender.
• Internal sources. Though small in number, insiders who abuse access privileges can account for costly breaches. “We discovered several instances where a terminated employee was allowed to retain access and privileges for the rest of the day. Unfortunately, damage was done during that time,” said Baker.

What You Can Do to Protect Yourself
With criminals becoming increasingly adept at circumventing security measures, the task of protecting information is not getting any easier. Companies must continue to adapt their security strategies to meet evolving threats. Balancing these demands with the pressures on IT budgets can be challenging.

“If you’ve got a limited budget, you’d probably do better reading this report to see how to best allocate that money than you would trying to figure out how to spend that money on your own,” said Baker. The 2009 DBIR offers a number of recommendations that can help you improve existing security controls:

Determine your risk profile. Determining your level of risk is one of the first things you should do to protect yourself. “If you are a financial services or retailer organization that handles credit card information, personal data, or bank account information—or if criminal groups may have reason to suspect that you handle these types of information—you are at higher risk for being a target,” said Hylender.

Review your security policies for effectiveness. Organizations need to make sure that their security policies and procedures are properly implemented and build accountability into the process. “Our findings are similar to last year, perhaps more so for retailers,” said Baker. “If you have decent security measures in place, then criminals will generally move on to softer targets.”

Start with essentials, then move to excellence. Although most organizations are reviewing their IT budgets to manage costs, you still need to make sure you’re doing what is necessary to protect your organizations and the people they serve. “Now more than ever, it’s vital to make sure that essential controls are in place before moving on to more advanced security measures,” said Baker

Improve your application testing and code review procedures. Attackers are now actively targeting the application layer. Incorporating a security development life -cycle (SDLC) into application development can help diminish this threat. “This is important because an SDLC would entail regular reviews of architecture, privileges, and source code. In addition, periodic web application testing and scanning can help uncover vulnerabilities,” said Hylender.

Conduct data asset discovery and classification. Surprisingly, most organizations have limited visibility into their information assets and even less into what transpires between and within them. “This is at odds with one of the fundamental rules of data protection, namely that you need to know what requires securing before you can secure it,” said Baker. “A thorough data asset discovery and classification process can help you not only determine where data is stored but also where the data flows throughout the organization. This can give you the information you need to put rigorous controls in place wherever needed.”

In the end, organizations need to ask themselves a fundamental question: Do we have data that criminals want and are willing to spend substantial time and energy getting? “If the answer to that question is yes,” said Baker, “then you probably have some work ahead of you. You need to make sure that the security fundamentals are in place and build upon those wherever you can. Doing so can help reduce your exposure and increase the likelihood that criminals will move on to easier targets.”

Further information:

• Download our 2009 Verizon Business Data Breach Investigations Report
• Listen to our podcast about the 2009 Verizon Business Data Breach Investigations Report, featuring an interview with Peter Tippett, Vice President of Innovation and Technology with Verizon Business.
• Visit our Security Blog on securityblog.verizonbusiness.com
• Visit the Security section of our public website