This week saw the release of the 2009 Data Breach Investigations Report put out by Verizon. This one is different from last year’s report in that it only deals with 2008 as opposed to a three year period (2004-2007) like the last one. It is also based upon firsthand evidence collected by Verizon’s investigative response teams. This is good and it is bad. It is good in the fact that their analysis of root causes is probably very accurate (as opposed to relying on someone else’s experiences). On the other hand it is bad in that their analysis of industry and organization size to data breach is heavily influenced by their customer base. As a result I am intentionally not going to pay any attention to these results/correlations.
It is also important to recognize that all such studies are biased in some way. It is very hard to conduct any study like this and not introduce some sort of bias be it through the wording of questions to the selection of the data set analyzed. Rather than throw out all studies, it is important to put their findings within the proper context before applying the findings to your own decision-making process. What follows is my attempt to do that.
Findings of note:
· A vast majority of data breaches come from outside the organization (43%) or from multiple sources (39%). Multiple sources appears to be defined as a combination of external, internal, and/or partner sources.
· The source of external attacks comes primarily from Eastern Europe, East Asia, and North America. During the period between 2004 and 2007, these regions accounted for 59% of the attacks; In 2008 they accounted for 82%. Beyond the region, nearly two-thirds of the attacks could not be traced to any specific entity other than IP. Of the one’s that were traced most were connected with some sort of organized crime. In fact Verizon points out an amazing statistic: 91% of all compromised records in 2008 were attributed to organized crime activity.
· A majority of the breaches involving business partners involved the lax security practices of the partner who was administering client-side systems.
· Error is a significant contributing factor in nearly all data breaches. This one is very interesting to me because if the study is accurate in this regard it means that most organizations already have the tools they need. In other words you don’t really need that new shiny box with the binky lights on the outside to protect your network. The error comes from misconfigurations, omissions, programming errors, process breakdowns and poor decisions. Verizon took the time to clarify their use of the term omission. An omission could be defined as the failure to follow through on enacted policies and/or procedures and is distinctly different from misconfigurations and programming errors. A common problem with compliance focused security programs (my own assessment, not Verizon’s).
· A vast majority of organizations were either fully targeted (28%) or opportunistically targeted (44%) (Combined 72%) A fully targeted attack is where the victim was chosen before the means to exploit them was discovered. Opportunistic targeting involves the victim being targeted because of a known weakness or vulnerability such as running a version of software with known exploitable vulnerabilities. Verizon provides a suggestion with which I fully concur – organizations need to determine if they will be identified as a target of choice or a target of opportunity. If a target of choice then they need to be prepared to fend off determined and sophisticated attacks, if a target of opportunity then minimize the opportunities for exploitation.
· Online Data is the most frequently compromised asset by far (94% compared to End user systems 17%). This is important from the prioritization sense. While it is fashionable to institute elaborate means to protect offline data, mobile devices, and end-user systems the money would be better spend on securing application servers and databases first. (Incidentally this is the only instance in Verizon’s analysis where I felt that the comparison between the percentage of breaches and the percentage of records compromised had relevance.)
· 87% of breaches could have been avoided had the organization implemented simple (53%) or intermediate (34%) level controls. This falls in line with the Pareto Principle (aka the Principle of Least Effort) as it applies to protecting information where in 80% of the issues can be resolved with only 20% of the effort (time and money).
Now my interpretation of Verizon’s findings underscores my belief that most of what is needed to protect an organization’s information assets already exists within the organization. The findings speak to improving change and configuration management programs along with a more complete integration of security into an organizations system development life cycle (SDLC). It also speaks to ensuring that business partners with whom you share critical data (be it transferring it to their systems or granting them access to yours) be required to comply with the same level of security that you employ within your own environment.
The bottom line is that these improvements do not need to cost a lot of money. Most of them come from focusing on the basics and doing them well – over and over again.
Entries (RSS)
[...] offers some thoughts on the DBIR. Ascension Blog >> Thoughts on the Verizon 2009 Data Breach Report Tags: ( reports vbr2009 [...]