22 April 2014

WHY DO DATA BREACHES HAPPEN? Clues from the Verizon DBIR 2014...

The always eagerly awaited Verizon DBIR 2014 was released earlier this year. As always, with a nice cup of coffee and some smooth jazz playing in the background, I will endeavour to distil the essence of this always excellent publication... Well, this year, the DBIR departs from just analysing data breaches to looking at 63,347 confirmed security incidents, of which 1,367 were confirmed data breaches (compared to 621 for 2012) across 95 countries (compared to 27 in 2012). This gives far greater richness to the data set and the insights that can be derived from it (rightly so, the DBIR team notes that incidents need not necessarily result on data loss to have a significant impact on an organisation – I couldn’t agree more!). Also don’t miss the month by month review of the major incidents of 2013 on pages 3 & 4, that’ll get you in the mood...


If in doubt, classify...

As in 2013, the 2014 report uses the North American Industry Classification System (NAICS), which is as good as any for introducing consistency, but will perhaps need a bit of translation and adjustment from the 2013 report... I have graphically represented the tabular information given on page 6 of the report and we can make the following observations (click on graph to enlarge):


http://media-cache-ak0.pinimg.com/originals/2c/41/46/2c41464d5fa6a10172a86f7d4857bc08.jpg
The graph on the left is for incidents reported, which shows that the public sector is perhaps a bit more trigger happy in terms of incident reporting (the DBIR cites the US agency reporting requirements, but here in the UK we experience the same with the ICO reporting on the public sector which seems to be more stringent). The graph on the right shows confirmed data breaches and the two should be looked at in conjunction.

Even if we take above into account, the public sector was still the second largest sector affected in 2013, after financial services which retains its top position from 2012, closely followed by Retail and Accommodation. And similarly to 2013, Agriculture seems to be the safest sector from cybercrime...

The new top 4 sectors affected are: Financial Services, Public Sector (new entrant), Retail and Accommodation. Manufacturing, whilst still worthy of note, has reduced both in absolute and percentage terms compared to 2013. And as we’re talking about sector split, it is useful to see the comparison between 2012 and 2013 (click on graph to enlarge):

http://media-cache-ec0.pinimg.com/originals/b3/d4/17/b3d41796fda5ee4ddc7c96218d0376a5.jpg
 
Nine out of ten of all breaches can be described by nine basic patterns...

The 2013 DBIR left us with the exciting prospect that we might be “able to reduce the majority of attacks by focusing on a handful of attack patterns”, and yes, the 2014 DBIR does just that, by reducing the attack patterns to the following nine (click on graph to enlarge):

http://media-cache-ec0.pinimg.com/originals/88/42/a7/8842a7cadcdafdac0b6b3b02fefea4a6.jpg

Again, no surprise there, web application attacks still top of the list and POS intrusions & Card Skimmers have reduced in relative terms to that exhibited in previous years. This trend, IMHO, will continue to accentuate as the US migrates towards EMV (Chip & PIN), and criminals turn their attention to e-commerce more and more (including the expected growth of mobile commerce). Indeed this is confirmed on Figure 20 page 16 of the report. Cyber-espionage is also on the rise from previous years and I am sure my commentary is not needed as to why that is...

Let’s dig deeper...

However, as every professional worth their salt will know, one size very rarely fits all, and therefore the 2014 DBIR goes on to examining how the various attack patterns fit into each industry sector, which I have summarised for you below (in bracket the NAIC number) only listing the key attack patterns for each sector and allocating them in a simple grouping...

Those that should really concentrate on giving their staff more generic security training and beef up on insider fraud prevention measures (including data loss prevention), effective access management as well as device encryption and retention/disposal policies (subtitle: Oops, I did it again...):

  • Healthcare [62]: Theft/Loss (46%), %), Insider Misuse (15%), Miscellaneous Errors (12%)
  • Administrative [56]: Miscellaneous Errors (43%), Insider Misuse (27%), Theft/Loss (12%)
  • Real Estate [53]: Insider Misuse (37%), Miscellaneous Errors (20%), Theft/Loss (13%)
  • Public Sector [92]: Miscellaneous Errors (34%), Insider Misuse (24%), Theft/Loss (19%)
  • Mining [21]: Insider Misuse (25%), Theft/Loss (10%)
  • Education [61]: Miscellaneous Errors (20%), Theft/Loss (15%)
  • Transportation [48 49]: Insider Misuse (16%)
  • Construction [23]: Insider Misuse (13%), Theft/Loss (13%)
  • Entertainment [71]: Miscellaneous Errors (12%)
  • Trade [42]: Miscellaneous Errors (9%)
  • Accommodation [72]: Insider Misuse (8%)
Note: the report shows that export data was a threat action found in 24% of the breaches in 2013.

Those that should really concentrate on application security, perimeter protection, intrusion prevention and outbound connections:
  • Information [51]: Web Application Attack (41%), Crimeware (31%), Denial of Service (9%)
  • Utilities [22]: Web Application Attack (38%), Crimeware (31%), Denial of Service (14%)
  • Finance [52]: Web Application Attack (27%), Denial of Service (26%), Payment Card Skimmer (22%)
  • Professional [54]: Denial of Service (37%), Cyber Espionage (29%), Web Application Attack (9%)
  • Retail [44 45]: Denial of Service (33%), POS Intrusion (21%), Web Application Attack (10%)
  • Manufacturing [31 32 33]: Denial of Service (24%), Web Application Attack (14%)
  • Education [61]: Web Application Attack (19%),
  • Management [55]: Denial of Service (44%), Web Application Attack (11%), Payment Card Skimmer (11%)
Note: the deployment of multi-factor authentication is notably effective in this section as well as effective password management. It is also interesting to note that the analysis of threat actions shows that SQL Injection, after exhibiting a dip in 2012, experienced substantial growth in 2013 (it was found in 8% of all the breaches compared to 4% in 2012) and was leveraged in 80% of attacks against web applications in the retail industry, and that really is sad...

Those that should really concentrate on information asset protection to prevent IP Theft, focus on not being the weakest link in their value chain (as this endangers their customers) and on training their staff on the dangers of ID Theft through social engineering as well as putting measures in place to protect themselves from crimeware:

  • Mining [21]: Cyber Espionage (40%), Insider Misuse (25%), Theft/Loss (10%)
  • Construction [23]: Crimeware (33%), Cyber Espionage (13%), Insider Misuse (13%), Theft/Loss (13%)
  • Information [51]: Crimeware (31%)
  • Utilities [22]: Crimeware (31%)
  • Transportation [48 49]: Cyber Espionage (24%), Web Application Attack (15%), Crimeware (15%)
  • Public Sector [92]: Crimeware (21%)
  • Professional [54]: Cyber Espionage (29%), Web Application Attack (9%)
  • Manufacturing [31 32 33]: Cyber Espionage (30%), Web Application Attack (14%)
  • Management [55]: Web Application Attack (11%), Cyber Espionage (11%)
  • Trade [42]: Crimeware (9%)
Note: and yes, multi-factor authentication features again in this section as an effective control, as well as threat monitoring and of course anti-virus protection and network segmentation as well as regularly applying software updates (the DBIR says “Patch ALL THE THINGS!”) and keeping good logs and using cool tech such as Data Execution Prevention (DEP) and Endpoint Threat Detection and Response (ETDR) solutions... Also, in the UK, ID Theft represented 60% of all fraud in 2013 (and payment cards only 30%) see http://www.cifas.org.uk/fraudscape_twentyfourteen and this is confirmed in the report by the fact that use of stolen credentials was the number one threat action in 2013 and was found in 31% of the breaches. As if you needed more evidence, Phishing was used in 18% of the breaches and is the number 3 threat action in 2013.
 

Those that should really concentrate on payment security:
  • Accommodation [72]: POS Intrusion (75%)
  • Finance [52]: Web Application Attack (27%), Payment Card Skimmer (22%)
  • Retail [44 45]: POS Intrusion (21%), Web Application Attack (10%)
  • Management [55]: Web Application Attack (11%), Payment Card Skimmer (11%)
Note:a common scenario in POS intrusion is the use of stolen vendor credentials. In one case the credentials stolen belonged to a POS vendor and were compromised via Zeus malware infecting the vendor’s systems, where they used the same password for all the organisations they managed... In addition, RAM scrapers experienced substantial growth and were found in 16% of the breaches, perhaps due to the increased use of encryption for both data at rest and in transit, which is a continuing trend from previous years. Furthermore, 99% of POS intrusion related breaches were discovered by external parties, not the breached organisation...And in 55% of POS Intrusions the hacking vector was a third party desktop (and in 35% a shared desktop). The deployment of multi-factor authentication is particularly relevant to this section and will also prepare businesses for the new European Payment Services Directive (PSD 2). And of course, educate (and maybe you’ll catch that fake engineer that comes to install the key logger under your nose...). For  more evidence, see my earlier post http://neirajones.blogspot.co.uk/2014/03/dont-be-target-on-retail-pos-banks-emv.html

And are we better at incident response?...
 

Well, sad news here, and whilst there is not much data in the report apart from the generic graph on page 12 (Figure 13), we can see that the gap continues to widen between “how long it takes the attacker to compromise an asset and  how long it takes the defender to discover this”. To quote the DBIR: “the bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month of Sundays.” Hey ho, we just have to keep plugging at it...
 

What next?
 
Well, I hope this summary will encourage you to read the full report, as you will find many other hidden gems in there. Also, apart from Cyber Espionage on page 39, none of the 8 other attack patterns will show the details of victim country (I have suggested this on a number of occasions, so maybe someday...) and I believe this would be particularly interesting to spot the differences once we overlay socio-economic conditions and technology considerations in the various countries (or groups thereof). I also believe it would be nice to have some analysis (or at least data) on breaches or incidents that resulted directly from lack of security at third parties (partners) in the supply chain of any given business (e.g. like in the Target breach). The DBIR still only gives information on partners where they are the threat actors (i.e. they perpetrate the breach, see page 8). Given the increased focus on supply chain management in various regulations worldwide, this would be a nice addition...

Thanks again to the Verizon DBIR team for an excellent report!


Until next time...
neirajones