Wednesday, January 12, 2011

Verizon's 2010 Data Breach Report

Went through the Verizon 2010 Data Breach Investigation Report these days. Made a digest of things which are of interests to me:

Their classification of types of breach:
misuse, hacking, malware, social tactics, physical attacks.

Harm done by external agents far outweighs that done by insiders and partners. External breaches are largely the work of organized criminals. Overall, insiders were not responsible for a large share of compromised records but system and network administrators nabbed most of those that were. This finding is not surprising since higher privileges offer greater opportunity for abuse. In general, we find that employees are granted more privileges than they need to perform their job duties and the activities of those that do require higher privileges are usually not monitored in any real way.

Top 3 industries affected by data breach: Financial Services, Hospitality, and Retail. And the most popular data compromised are:
- Payment card data
- Personal information
- Bank account
- Authentication credentials

Malware and hacking composed of more than 95% of all compromised records. Cases involving the use of social tactics more than doubled. Physical attacks like theft, tampering, and surveillance ticked up several notches.

Malware factored into 38% of 2009 breach cases and 94% of all data lost. The most frequent malware infection vector is installation or injection by a remote attacker. This is often accomplished through SQL injection or after the attacker has root access to a system.

Malware functionality by percent of records:
- Backdoor 85%
- send data to external site/entity 81%
- capture data resident on system 84%
- system/network utilities(PsTools, Netcat) 83%
- Packet sniffer 80%

97% of the 140+ million records were compromised through customized malware. Some are simply repackaged versions of existing malware in order to avoid AV detection. More often they altered the code of existing malware or created something entirely new.

Two hacking types that resulted in the largest percent of data breach:
- Use of stolen credentials: 86%
Mostly obtained by malware. Ration 2:1 to other attacks including phishing, SQL injection.
- SQL injection: 89%
It is almost always an input validation failure. Main uses are for query data, modify data, and deliver malware.

Most used path of intrusion is web applications.

Nearly all data were breached from servers and applications. Breaches involving end-user devices nearly doubled in 2009. Much of this growth can be attributed to credential-capturing malware.

15% attacks are of high difficulty: Advanced skills, significant customization, and/or extensive resources required. And they contribute to 87% of data breach.

In 2009, targeted attacks accounted for 89% of records compromised.

In over 60% of breaches investigated in 2009, it took days or longer for the attacker to successfully compromise data, but 31% only takes minutes. More than 37% takes months to discover the compromises. An 29% also takes months to contain the compromise after it is discovered.

Third party fraud detection is still the most common way breach victims come to know of their predicament.

Event monitoring and log analysis successfully alerted only 6% of breach victims. This year that figure has dropped to 4%. The reason IDS doesn't work usually due to the poor configuration and monitoring. Actually 86% of the breaches have log evidence. Ways to study log: 1) abnormal increase in log data, 2) abnormal length of lines within logs, 3) absence of (or abnormal decrease in) log data.

Anti-forensics consist of actions taken by the attacker to remove, hide, and corrupt evidence or otherwise foil post-incident investigations. Data wiping, which includes removal and deletion, is still the most common but declined slightly. Data hiding rose by over 50%, and data corruption tripled. The use of encryption for the purposes of hiding data contributed most significantly to the increase in that technique while the most common use of data corruptions remains log tampering.

Labels: ,


Post a Comment

<< Home