Know Your Enemy: Verizon Data Breach Report

Verizon Data Breach Report“Know Your Enemy” EditionOriginally prepared for InfraGardHonolulu ChapterMay 3, 2011

Beau Monday, CISSP GSEC

Information Security Officer @ HawaiianTel

Disclosures

• Hawaiian Telcom was a subsidiary of Verizon at one point, but was sold to private investors in 2005.

• This review focuses primarily on the threat side of the equation.

2

3

History

• 4th year of public releases– Starting in 2008– 6 total reports (mid-year

supplementals in 2008 and 2009)

• Dataset now contains:– 7 years of data– 1700+ breaches– 900M compromised

records

Data Sources

• Verizon Caseload (94 breaches in 2010)– Only cases where Verizon was directly engaged as an

investigator and a breach was confirmed

• US Secret Service (667 breaches in 2010)– Verizon reviewed USSS’ caseload and only included cases

that matched Verizon’s criteria for a breach– If Verizon and USSS both worked on an individual case,

Verizon’s data was referenced for the report

• Dutch National High-Tech Crime Unit (30 cases spanning several years)

4

Things to keep in mind

• The addition of the USSS and Dutch NHTCU data has nearly doubled the size of the dataset from last year

• Comparing year-to-year data can be challenging as a result (as you will see)

5

Demographics – by Sector

6

Demographics – by Org Size

• Large companies catching a break?

• Shift towards SMBs?

7

Threat Agents

• Attacks via partners down from 10% to <1% (!)

• Attacks via insiders down from 48% to 17% (!)

8

Threat Agent Trends

• Insider threats have declined, but not by as much as the first graph indicated

9

Who are the (external) bad guys?

• Eastern Europe takes a commanding lead

10

Who are the (internal) bad guys?

• Quite a jump in regular users (was 51% last year)

• % of breaches involving Finance staff doubled

• % of breaches involving executives increased from 7% to 11%

11

Threat Categories

• Malware was %1 last year, but dropped to 4th in 2010

• Physical doubled as a % of breaches

12

Malware

13

Malware Customization

14

Hacking Methodologies

15

Attack Pathways

16

Social Engineering Trends• 11% of breaches employed some level of social engineering (down from 28% last year)

17

Physical Attacks• Physical attacks are twice as prevalent versus last year• ATM and Gas Pump skimmers represent the bulk of

this increase

18

Recommendations

• Overall: “Achieve essential, then worry about excellent”

19

Recommendations (cont.)

• Access Controls– Change default creds– Review user accounts often– Restrict and monitor privileged accounts

• Network Management– (Catalog and) Secure Remote Access

Services– Monitor and filter egress traffic

20

Recommendations (cont.)

• Secure Development– Application testing and code review

• Log Management and Analysis– Enable application and network logs (and

monitor them)– Define “anomalous” and then look for it– Try to achieve real-time log

monitoring/alerting

21

Recommendations (cont.)

• Incident Management– Create an Incident Response Plan– Engage in mock incident drills

• Training and Awareness– Increase awareness of social engineering– Train employees to look for signs of

tampering and fraud

22

References & Contact Info

• References:– Verizon Data Breach Investigations Report 2011:

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

– Verizon DBIR 2011 – Metrics, Interpretations and Action Plans: http://www.dman.com/verizon-data-breach-investigations-report-2011/

Contact me: Beau.Monday@Hawaiiantel.com

23