What You Don't Know About the World's Worst Breaches - Dr. Peter Tippett on the 2009 Data Breach Investigations Report

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Verizon Business investigated 90 major data breaches in 2008, including 285 million compromised records. Nearly ¾ of those breaches were external hacks, and 99.9 percent of the records were compromised via servers and applications.

These are among the findings of Verizon's new 2009 Data Breach Investigations Report. In an exclusive interview, Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business, discusses:

Tippett is the chief scientist of the security product testing and certification organization, ICSA Labs, an independent division of Verizon Business. An information security pioneer, Tippett has led the computer security industry for more than 20 years, initially as a vendor of security products, and over the past 16 years, as a key strategist. He is widely credited with creating the first commercial anti-virus product that later became Norton AntiVirus.

TOM FIELD: Hi this is Tom Field. I'm talking with Dr. Peter Tippett, vice president of technology and innovation with Verizon Business. Peter, thanks so much for joining me today.

PETER TIPPETT: Well thanks for being here.

FIELD: Would you tell me a little bit about yourself and your work just to set some context for the discussion we are going to have today?

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

TIPPETT: Sure. I started in the security world a few years ago in the antivirus space and then started NCSA, which became ICSA, which then became True Secure, which purchased many companies in Europe and Asia. We called ourselves Cyber Trust and in 2007 we merged with Verizon Business and became a security services group, taking people from Verizon Business into security and now we are the biggest security services company in the world.

FIELD: Now I would like to talk with you about your new data breach investigation report. We are at the RSA Conference and I have to tell you, this report has just been--you have had great marketing for this. People have been talking this up throughout the event and I heard a quote from a prosecutor from the Department of Justice the other day saying that you are right on.

TIPPETT: Yeah.

FIELD: Give us some highlights about this report that you have done.

TIPPETT: Well the report is different from most things we read in security because this is the actual data from our investigations of over 600 cases of computer crime that were the worst in the world; 90% of whatever made it to the major media were cases that we investigated; a third of all cases that have ever been published were cases that we investigated.

The quick, short story for the bank and financial industries this year is they have had an increase in organized crime and they were entirely focused at the financial sector, very focused. We saw an increase in sophisticated tool use. But the good news is that in all of those cases, they got in through some easy way. They got in somewhere on a non-sensitive, non-critical device where the password was password, or where it wasn't patched two years ago, or where it was a little SQL injection attack.

The easy things dominate by far so easy entry points are very common. So if you are a targeted organization, which only a few were in our cases, then the bad guys still get in through easy access points. We all worry about malcode and only a third of the cases had malicious code used, but we tend to think of malcode as malcode that the user picks up by doing their normal behavior. In our cases the malcode was used after the bad guy got in. They got in through some low-level thing that nobody was paying attention to, and then there was no good data there so then they put a sniffer in or they put a scanner in or they put a back door so they could get back in, those kinds of malcodes. Virtually all of it was after they were already in and not as a way to get in, which is completely opposite of the way we think.

For the vast majority of attacks, 99.9% of all data that was lost was lost from servers; so that is 0.01% that had anything to do with desktops or PC's or PDA's or USB sticks or anything like that.

Imagine our security budget, how much we put on a PC and end-user security and how much we put on server-based security. If you were balancing the dollars according to the way the losses actually worked, you would move dramatic funding away from PC and desktop; now I am not saying you should, but what I am saying is that it is probably better to put energy where you already have control, in the space where servers are and network appliances.