by Chipmonkey

Verizon Business released their 2010 Data Breach report hours ago, and with the combination of Secret Service data for the 2010 report, there is a ton of interesting things in here.  Here are a few of the highlights that I took from the report:

  • Financial & Hospitality Beware: These two categories represent 56% of the groups involved in breaches1.  Those of us in the industry know the ridiculously poor state of security in the hospitality sector.  Now with the economy on its way to recovery, these businesses will once again see an uptick and criminals will see an opportunity to capture valuable data.
  • Medium-Sized Businesses are in the Crosshairs: The grouping of victims had between 1,001 and 10,000 employees. In my experience, companies in this range that are growing rapidly tend to push security to the back burner which can hurt them.
  • Collusion is Key: Right away readers will notice that the percentage breakdown for the top causes of breaches add up to more than 100%.  Bryan Sartin, director of incident response for VzB, confirms that the reason for this is that often multiple issues caused the breach. An interesting statistic might be to list the percentage of breaches that occurred with just one type, two types, and three or more types of intrusion. This shows the complexity of successful attacks is still rising and keeping ahead of the pack is as important as ever.
  • Social Engineering is BACK: People hacking is one of the most effective techniques for gaining information, and an interesting note to help illustrate the significant amount of data loss associated with organized crime.  Sartin said that it is easier for crooks to buy off an insider than it is to try to knock over perimeter defense.  It certainly makes it harder to prosecute the real crook when the insider becomes the fall guy. How do you identify a potential fall guy? 26% were simply employees or end users.
  • TRUE PCI Compliance Makes a Difference: 79% of the breaches discussed here did not comply with the PCI standard, but 21% did? How do we reconcile this discrepency with the payment brands’ and PCI Council’s assertion that no PCI Compliant company has been breached? This 21% represents breaches coming from companies that validated PCI compliance (either internally or through a QSA) at some point, not that they were compliant with PCI at the time of the breach.
  • Basic Security FAILs cause Breaches: In the PCI analysis at the end of the report, I was shocked to see that Requirements 2 (change vendor supplied defaults) and 5 (deploy anti-virus) represented a decline in compliance. Those two are arguably the foundation for why PCI DSS was started.
  • Malware is a Key Compromise Vector: 94% of the records compromised could be attributed to malware, and 96% to hacking. Why is that significant?  See the above bullet. Most breaches can be traced to a hacker breaking through some part of the defenses and installing malware to collect data (a significant portion of which coming from web-based infections). Addressing this is pretty basic stuff, however increasingly complex in large environments.
  • Data is King: 92% of the records compromised were pulled from database servers.  Again this goes back to my mantra, “Delete all data you don’t absolutely need (and take a hard look at what you ABSOLUTELY need), and defend what you do need to the death.” Just because 2009’s record count was less than half of 2008’s doesn’t mean that we’re in the clear. In fact, it could mean that the market for stolen data is a bit soft right now, and the bad guys are waiting for the economy to recover.
  • Look for Activity: In the “On Logs, Needles, and Haystacks” sidebar, Verizon asserts that instead of looking for the needle in the haystack—the successful breach—maybe we should look for the haystack! I LOVE this analogy, as the mere trend of common vulnerability exploitation like SQL Injection indicates 1) a threat, and 2) a potential compromise.  Don’t give up on this stuff, folks. Functional log capture, management, and analysis is a requirement when vigilantly defending your assets.

What are some key, actionable takeaways that we can run with for our security planning in 2010 and 2011?

  1. De-value your data.  Seriously, you can’t get around this.  Destroy everything you cannot reasonably obtain from a third party, and outsource everything you can to a third party to offload risk.
  2. Protect the data you do have. Do you still use only a username and password to authenticate people with access to critical systems and data? For shame. Get another factor in there.
  3. Get control of your networks. If you are not doing egress filtering, you will be a victim to a data breach. Don’t just go through the motions though (like many people treat compliance). Smart egress filtering will go a long way to protecting your information assets.
  4. Get back to basics. I offered up my man card after writing a column that opened with a reference to Ina Garten’s show on the Food Network, but it’s fundamental to protecting your information assets.  If you don’t have solid patch management, anti-virus, and build standards, then why would you worry about the “Advanced Persistent Threat?” Excel in your performance of fundamental security before you tackle something more advanced.
  5. Trust but verify your people’s actions. Collusion is almost a requirement for a successful breach to occur.  Don’t let a disgruntled employee with a little too much access on their hands be your downfall.
  6. Train your employees to trust, but verify. Social engineering is ever present, and widely successful. Don’t let Julie in reception be a victim.

Go download this today and read through it for more insights on what is going on in real world breaches!

This post originally appeared on BrandenWilliams.com.

  1. Add in retail and you are up to 71% []