How Did We Do? Verizon 2012 Data Breach Findings and Recommendations

March 25, 2012


Professional criminal organizations and “Hacktivsts” were responsible for more data breaches leading to more theft of personal information than ever before, according to the Verizon’s 2012 Data Breach Investigations Report (DBIR).  The report examined over 850 data breaches occurring in 36 countries, with over 174 million data records being exposed in the past year.  While the Verizon data set used in this year’s report expanded in breadth over past years and certainly is meaningful in terms of its depth, it still does not include information collected by the FBI, one of the most important actors in investigating data breach incidents.

“Hacktivism,” once relegated to defacing the landing pages of websites, has now moved on to more sophisticated attacks, as more organizations and individuals attempt to gain and expose data in order to make a political statement.  These attacks stand in stark contrast to the criminal organizations that attempt to steal information in order to profit from it.  Also worthy of note are the industrial espionage incidents, including stealing trade secrets and intellectual property.  These incidents, while occurring much less frequently, can have far-reaching and substantial consequences for the targets of such attacks.

New to this year’s report, Verizon parses the data more finely by comparing smaller and larger organizations, both in terms of the incidents that they experience and the mitigation measures appropriate for them to undertake.  While the specific recommendations for protecting against data breaches differ depending on the size of the organization, the causes of the data breach incidents for both groups remain similar.

Hacking and malware attacks against servers and user devices remain the largest causes and targets of data breaches.  “Hacking” involves the use of unauthorized means to gain access to information systems, including use of stolen credentials, guessing credentials from weak passwords and credentials, and brute force attacks on authentication systems. 81% of the analyzed incidents, and virtually all incidents that resulted in exposure of data records, are attributable to hacking activity.  Malware, any malicious software, script or code that is used to compromise or harm information assets, was involved in 69% of incidents and 95% of those that resulted in exposure of data records.  Often, use of both hacking and malware were involved in a single incident as well.

Perhaps most interesting, 98% of the data breaches were not highly difficult, and 79% resulted from targets of opportunity, meaning that the victims were targeted because they possessed an exploitable weakness that was almost always easily avoidable.

So listen up, these recommendations are worth a read:

Smaller organizations

  • Implement a firewall or access control list (ACL) on remote access services
  • Change default credentials of POS systems and other Internet-facing devices
  • If a third party vendor is handling the two items above, make sure they’ve actually done them

Larger organizations

  • Eliminate unnecessary data; keep tabs on what’s left
  • Ensure essential controls are met; regularly check that they remain so (over-reliance of point-in-time audits of PCI compliance, for example, can lead to vulnerabilities)
  • Monitor and mine event logs
  • Evaluate your threat landscape to prioritize your treatment strategy
  • See the indicators and mitigators for the most common threats included in the report (this chart is posted in the TTDL tab of this site for convenience)

Point-of-sale systems are particularly susceptible to attacks.  According to the report, most of these attacks are directed against small companies and most can be prevented with a few small and relatively easy steps. For companies processing payments using point-of-sale (POS) systems, the report suggests the following relatively easy steps:

  • Change administrative passwords on all POS systems.  Hackers are scanning the Internet for easily guessable passwords.
  • Implement a firewall or access control list on remote access/administration services: If hackers can’t reach your system, they can’t easily steal from it.
  • Avoid using POS systems to browse the web (or anything else on the Internet for that matter). Make sure your POS is a PCI DSS compliant application (ask your vendor).
  • If a third-party vendor looks after your POS systems, ask them to confirm that these things have been done, and request documentation evidencing these activities.

Larger enterprises seem to be adopting more appropriate data security measures, but their smaller counterparts lag behind and still have some catching up to do.  Hopefully, the 2012 Data Breach Incident Report’s recommendations will be widely disseminated to the small- and medium-sized businesses that need it most.  Better education is essential to protecting all of our information assets.

{ 1 comment… read it below or add one }

Dale Dietrich March 26, 2012 at 7:20 am

Terrific article.  Two things I also strongly suggest. Business owners should ensure that their database administrators/web developers hash BOTH the users passwords and their credit card numbers. These are what the bad guys are usually after. It’s astonishing how many modern websites/webservices – many originating from the valley, funded by the big Angels & VCs – do not take this basic precaution. Leaving passwords and credit-card numbers in plain text within the site’s database is akin to database malpractice.


Leave a Comment

Previous post: