Essential reading: Verizon's Data Breach Study

Breaches, dataloss up in 2008, report claims...

The report is essential reading; the post-mortem analysis of data breaches is to the information security industry what black-box flight recorder information is to the aviation industry. By understanding where things have gone wrong, we can avoid repeating the mistakes of some of our peers.

A phone interview with the company's director of investigative response, Bryan Sartin, has been recorded and will be included in Risky Business #104, which is due to be published in the next 24 hours.

In the mean time, the 52-page report can be found in pdf form here. It's a must read for anyone working in enterprise security.

The report makes some fairly sweeping claims about dataloss trends. Take them with a grain of salt. The statistics the company is presenting here are cobbled together from its investigation of approximately 100 dataloss incidents.

When forming your own opinion about the information presented, keep in mind the company can only put forward statistics drawn from jobs it worked on. There are many providers of forensic services. A big uptick in the number of breached records Verizon has investigated doesn't necessarily mean there's been more breaches; it could just mean the company's forensics department has grown.

That said, a report containing this much gory detail on dataloss incidents is still valuable to anyone charged with securing enterprise data.

DISCLAIMER: The following text came from a press release issued by Verizon Business:

The financial Industry accounted for 93 Percent of incidents investigated by the company, which claims most of the breaches reported to it were avoidable.

The study, based on data analysed from Verizon Business' caseload of 90 confirmed breaches throughout 2008, revealed corporations fell victim to some of the largest cybercrimes ever during 2008.

Nine out of 10 breaches were considered avoidable if security basics had been followed. Most of the breaches investigated did not require difficult or expensive preventive controls. The 2009 report concluded that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach.

Similar to the first study's findings, the latest study found that highly sophisticated attacks account for only 17 percent of breaches. However, these relatively few cases accounted for 95 percent of the total records breached -proving that motivated hackers know where and what to target.

Key Findings of the 2009 Report:

  • Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.
  • Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.
  • In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organisations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.
  • Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications.
  • Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.
  • Being PCI-compliant is critically important. A staggering 81 percent of affected organisations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.