Inside the Verizon Breach ReportLatest Trends in How Entities are Being Breached
These are among the key takeaways of the 2010 Verizon Business Data Breach Investigations Report. In an exclusive interview in advance of the report's release, Wade Baker, one of the study's primary authors, discusses:
- Top headlines from this year's report;
- The U.S. Secret Service's role in this study;
- New trends in how entities are breached;
- What individuals and organizations must do to improve detection and prevention of breaches.
"Almost 50% of the breaches investigated by Verizon and the Secret Service in 2009 were attributed to insiders," Baker says. "That's a pretty big change."
Baker is the director of risk intelligence for Verizon Business. In this role, he oversees the collection and analysis of data relevant to understanding and managing information risk. Intelligence from these activities is used to create and improve products, inform personnel and clients, and publish credible research to the security community.
Baker has more than 10 years of experience in the IT and security industries. His background spans the technical-managerial spectrum from system administration and web development to risk management and corporate decision-making. Prior to his tenure at Verizon Business, he spent five years on the faculty of two major research universities, most recently in the Pamplin College of Business at Virginia Tech.
A researcher at heart, Baker's work on various topics has been published in a number of highly-rated academic journals, professional magazines, and books. His research for the President's Information Technology Advisory Council was featured in the 2005 Report, "Cyber Security: A Crisis of Prioritization." Baker is the creator, author, and primary analyst for the Verizon Data Breach Investigations Report series.
TOM FIELD: So this is the long awaited report of the year, it is something that people very much look forward to each year. What would you say are the top headlines of this year's Breach Investigations Report?
WADE BAKER: Well, undoubtedly the top headline is that we are working with the Secret Service on this one. It's a really excellent chance to have a wider-angle lens, if you will, on the world of data breaches. So that really changed a lot of things and a lot of new perspectives and insight, so that is a top headline.
Inside that there are things that we have seen, attacks that we have never seen before, you know a lot more ability to look at insider attacks than we have in the past, some attacks that even affect consumers in certain ways, like tampering of ATM's and skimming devices and those kinds of things that Verizon typically hasn't investigated in the past.
So the big headline stuff is new information new data sets, which allows us to really better understand the world.
FIELD: Well, let's talk about the U.S. Secret Service. What do they bring to this project, and how does that influence the findings this year?
BAKER: So a lot of people are not really familiar, or they have a lot of questions about what exactly the Secret Service's role is in respect to data breaches. And it is quite interesting how this relationship developed. We often work with them at some point during a case, so Verizon will be called in to investigate and do forensic analysis, and then if we find evidence that a crime was committed, many times the Secret Service will pick up the investigation from that point on and take it through to prosecution and arrest and conviction of whoever was behind the breach. So we have had a working relationship there.
The Secret Service, one of their callings in addition to protecting the President, is to protect the financial system of the United States. And of course that started a little over a hundred years ago, when counterfeiting and fraud and all of those kinds of things in the physical world. And just as we have gone along, that has moved to the cyber world. So that's why they are involved and what they bring.
I mentioned before that they bring a new perspective. Verizon and the Secret Service work some of the same cases, but they also have a pretty different caseload when you look at it, and that's a good thing when we are really trying to, again, understand how data breaches really work. We don't want to be locked into our own little part of the world and bias and all of those kinds of things, so it's really a good opportunity for that, and it's a very, very new - there are things that the Secret Service brings to this study that Verizon just couldn't do.
So, in other words, they offer some appendices in the back of this report where they talk about the cyber underground and, as they go and infiltrate and try to root out cyber crime, how those institutions work and how online collaboration among criminals works, and they even have a case study about prosecuting cyber crime. All of that is very new and very interesting, we feel.
FIELD: Well, Wade, as I glanced through the report, the things that jumped out to me were the statistics about external hacks being down this year compared to last year, and insider crimes being up. What is the story behind those numbers?
BAKER: Yes, those are always numbers that generate a lot of discussion and even debate when this report comes out because people have just a lot of long-held beliefs about how data breaches should work. There is an 80/20 rule, or an 80 percent myth that has lived a long time in our industry that says that 80 percent of all breaches are due to insiders. We have traditionally shown almost the opposite of that, where 80 percent of what we find, the breaches that we investigate, are due to outsiders, and about only 20 percent are due to insiders.
Just like you mentioned, that has changed this year. This year is at about 70 percent external, so not a huge drop, but still a drop. And almost 50 percent of the breaches that were investigated by Verizon and the Secret Service in 2009 were attributed to insiders; so that is a pretty big change.
There are lots of reasons for that, and we can get into that in a little bit, but those are some headliner stats, and I will just also mention that our third category, when we are really talking about who is behind breaches, we have external, internal and partner. Partner is also down; for the past couple of years we have been showing breaches attributed to partners declining a bit, and that is a pretty interesting statistic, and I don't know if we are better prepared or if there is more awareness among organizations about third-party risks. It could just be a fluke of the statistics, but it is interesting to see that over time.
But the insider thing is really interesting, and I imagine there will be a lot of talk about it. It is definitely something to do with the Secret Service's caseload though. I mean, that's very clear. We have a chart in the report that shows just Verizon's historical trend for that, and we are still at the 20 percent mark in our caseload, very, very flat trend. So the change that you are seeing there is directly the result of adding in all of those Secret Service cases.
FIELD: When you look at these insider breaches, Wade, what is your sense about how many of them would be malicious intent -- that someone means to commit a crime -- versus accidental, where somebody loses a laptop or there is some sort of an accidental data loss?
BAKER: Almost everything in this report is deliberate and malicious attempt. We attempt to dig those details out when we are doing it. There are all kinds of classifications in things that we do and rules that we set up about how we classify these things, so I will just make it clear that almost every single breach at some point has an insider that did something by accident or forgot to do something or misconfigured a device or something of that nature that facilitated or led to or contributed to the breach, but we don't really consider those insider events because the insider wasn't the perpetrator or the real threat agent.
The statistics that we have been talking about are when the insider really... acts deliberately. And a few of them are what we call inappropriate, so the insider didn't deliberately attack systems with the intent to steal data, but they knew they were breaking policy and maybe they just decided that it was more convenient to behave in this manner or to skirt this policy or to avoid this procedure in an entirely different.
We have policies for a reason, and those things can facilitate or help lead to breaches in various ways, whether it is downloading malware because you have been visiting internet sites that you shouldn't or opening attachments because you are using corporate emails to communicate with non-corporate people for non-corporate purposes, all of those kinds of things.
FIELD: So, in terms of how organizations are breached, you talked up front about some of the trends. What are you seeing that is new?
BAKER: Very new again, related to the Secret Service statistics is that for the first time since we have done this study our threat action category of misuse is the most common method of breaching data. We have seven categories, if you are familiar with these reports, we call them threat action categories, but they are malware, hacking, social, misuse, physical, error and environmental. That just separates major distinctions of the actions or what people are doing, and misuse is anything that involves privilege misuse, abuse of your access that you have to IT resources, or just anyone that chooses to misuse or abuse what the organization has given them sort of falls under that large misuse umbrella.
And again, that's number one this year, which is a significant change. We have always shown that malware and hacking were sort of the leading action types, which there are many reasons for that. Again the Secret Service data is the primary reason that we see that, and it is linked to the insiders because insiders are the ones who have privileges, so it makes sense that if the percentage of insiders grows then the percentage of misuse would grow as well.
I would like to say that it is quite interesting -- we do a little bit of talk about this in the report, especially since we are talking financial services here: A couple of years ago, we published the 2008 Supplemental Data Breach Report, and in that we showed statistics specific to financial services and retail and food and beverage and tech services just to kind of show how these trends are very different among these different industries.
In that report, it actually showed that social and misuse and those kinds of categories were higher for financial services, so it is not the first time we have ever seen data that shows that hacking and malware aren't' the number one threats against organizations. It really is dependent on the types of organizations that we are talking about, and this year's sample happens to be heavily weighted toward financial services.
FIELD: When you look at the verticals that are covered in this report, how do they compare, and where do you see the most vulnerabilities? I wonder, for instance, about healthcare, which now has new reporting regulations and requirements.
BAKER: Yep, that's a good question. So this is the first report where there is just a clear move in the direction of financial services. If you go back two years ago, retail was far and above more common in our caseload than anything else. And then last year, financial services was number one, but it was neck and neck with retail; they were both at around 30 percent, give or take one percent of each other. This year, if you look at the demographic distribution, financial services is pretty far ahead of others, and there are several reasons for that. I don't know if you can draw a conclusion that, well, financial services are much more susceptible to data breaches than any other type of organization, because I would argue actually they are not as susceptible. It is just that they have data that the criminals really, really, really want, and the criminals know that, and so they are more targeted and more sought after than say a retail organization.
While that doesn't always hold true, the data seems to suggest that the retail and restaurant and hospitality industry breaches are usually more opportunistic in nature; in other words, they find a vulnerability, or they know exactly how to crack that certain point of sale system, and that is the way the criminals work against those. Whereas in financial services a lot of times it is a little bit more of a premeditated, selected, targeted type of attack.
When you look at the overall amount of compromised records, we had 143 million records compromised in 2009; 85 percent or somewhere around there, of those 143 million records were attributed to financial services so they are responsible for a large majority of data loss in this sample.
FIELD: Based on your experience, and particularly from the last couple of years, Wade, where do you see that organizations have improved in detecting and deterring these breaches?
BAKER: That's a tough question because quite honestly it is difficult to see where there has been improvement. Sometimes I have to remind myself that in this study we are only looking at the organizations that suffered a breach, so the rest of the world could be really, really good and not have any problem and detect breaches immediately and all of that kind of stuff; we just don't see it.
I tend to get pessimistic especially about detection and discovery, just because I am always looking at this sort of postmortem analysis. But, just looking at that, because that is important and it really does tell us a lot about what we need to be looking out for, there is really not a lot of improvement. We have always shown that breaches take a very long time to discover; victims usually don't discover those for months or so after they happen, whereas it is slightly faster this time, it is really almost the same.
If you look at those charts, they are going to look very similar to how they have in the past, and I find that quite amazing because I have always wondered, and people have always asked, "Hey, is this just a Verizon caseload thing? Are things really this bad? Is this just because you guys investigate some nasty breaches, and this really isn't indicative of organizations as a whole?" But now we have all of the sudden the ability to analyze Secret Service data, and their statistics show the exact same thing, so I find that really, really compelling, and it just again shows that we have got a lot of work to do in the detection realm.
I will just add that it is similar again in how organizations come to detect and discovery breaches; it's still a third party that tells them. They don't usually find it themselves. The things that we put in place like intrusion detection and log analysis, we are not suing those things to their fullest capabilities, and we have really got a lot of work to do there.
FIELD: So when you look ahead toward the end or the remainder of this year and going into 2011, where do organizations and consumers as you mentioned, need to be doing a better job to detect and deter these threats?
BAKER: The answer to that question is one that a lot of people don't really find all that interesting or compelling because it's a boring answer. We need to be doing the things that we know we should be doing, the things that we've had in place, and the things that are already in our policies. If we really, really, really spent the time making sure that we do those security basic 101-kind of stuff, many of these attacks that we discussed throughout this report would not be successful. Or if they were successful, the criminal would have to work a lot harder than they are having to work in what we see.
So that is a boring answer because people want an answer like out "Go out and buy this new fangled solve-all-of-your-problems kind of technology, but that's really an incorrect answer. I mean time and time again I am always reminded that security is very much like quality management, where we need to get better at processes that maintain, that control, that reduce variations from what we want to happen, and that leads to a success more successful than a healthy program.
But aside from that, there are some specific things - the insider statistics, we got a chance to really focus in on that in this report and see a lot more of how those work than we have in the past so we have a few recommendations on that.
Most of these organizations granted insiders way more privileges than they needed to perform their daily job duties, and that just seemed to be endemic of all organizations. You sign them up and you give them admin privileges, and you send them on their way. I am really hoping that we get away from that and go back to "Well, okay, you have this job goal and you need to do these things, so what are the appropriate levels of permission for you to be able to do those things?" And then also monitoring insiders. You know, we would prefer to trust our insiders and just assume that they are going to abide by the rules and be good citizens and all of that kind of stuff, and we think monitoring is distrustful and mean and that kind of thing> But you know, knowing when, especially privileged insiders exercise their privileges and what they are doing and recording those things in logs and stating in our policies that X and Y will not be tolerated or else, and all of those kinds of things that are necessary. And we think they would really help some of those situations.
In addition to that there was quite an interesting trend that I really would like to see if others had seen something similar, but on the insiders that committed these malicious, deliberate types of attacks against their employers, many of them had kind of a bad history; not necessarily of deliberate malicious attacks, but sort of minor policy violations and just had shown evidence that they didn't really want to cooperate, and they would break policy and do other things like that in their past. So ,we had a little bit in this report about "Hey, those things might be an indicator of something worse to come;" so that is another recommendation.
We cover again, we have made many recommendations in the previous reports and we don't retread those grounds, but there are still very, very, very applicable, so we would refer to those. In this report we make a few more, especially about monitoring egress filtering, so data and traffic going out of your network, we do a very good job of hardening our external and watching incoming traffic and blocking that, but we kind of forget that hey, sensitive things can go out of our network to other places.
In this report we talk a lot about malware and how it works and the fact that once malware is installed in an organization, it is communicating with the outside world and opening doors for criminals to go in and out and all of these kinds of things. And it really points to the fact that we need to be more aware of what is going out of our networks as well as in. So several recommendations like that that we cover in this report that we really think will help others avoid what we see among these organizations.