>From - Sat Mar 02 00:57:19 2024
Received: by 10.114.77.1 with SMTP id z1mr532945waa.23.1239958311367;
Fri, 17 Apr 2009 01:51:51 -0700 (PDT)
Return-Path: <jm..._at_tscm.com>
Received: from swip004.ftl.affinity.com (lvs00-fl-swip004.ftl.affinity.com [216.219.253.14])
by gmr-mx.google.com with ESMTP id k19si865149waf.5.2009.04.17.01.51.50;
Fri, 17 Apr 2009 01:51:51 -0700 (PDT)
Received-SPF: neutral (google.com: 216.219.253.14 is neither permitted nor denied by best guess record for domain of jm..._at_tscm.com) client-ip=216.219.253.14;
Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 216.219.253.14 is neither permitted nor denied by best guess record for domain of jm..._at_tscm.com) smtp.mail=jm..._at_tscm.com
Received: from [72.70.98.196] ([72.70.98.196]:44742 "EHLO Raphael.tscm.com")
by swip004.ftl.affinity.com with ESMTP id S751455AbZDQIve (ORCPT
<rfc822;T..._at_googlegroups.com>);
Fri, 17 Apr 2009 04:51:34 -0400
Message-Id: <7.0.1.0.2.20090417044305.1b763148_at_tscm.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Fri, 17 Apr 2009 04:44:35 -0400
To: TSCM-L <TSCM-..._at_googlegroups.com>
From: "James M. Atkinson" <jm..._at_tscm.com>
Subject: Verizon Business 2009 Data Breach Study Finds Significant Rise
in Targeted Attacks, Organized Crime Involvement
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Mail-Filter-Gateway: Not scanned
X-Mail-Filter-Gateway-SpamDetectionEngine: not spam,
SpamAssassin (not cached, score=0.1, required 10, autolearn=disabled,
RDNS_NONE 0.10)
X-Mail-Filter-Gateway-From: jm..._at_tscm.com
X-Mail-Filter-Gateway-To: tscm-..._at_googlegroups.com
Verizon Business 2009 Data Breach Study Finds Significant Rise in
Targeted Attacks, Organized Crime Involvement
Financial Industry Accounts for 93 Percent of 285 Million Compromised
Records; Most Breaches Avoidable if Proper Precautions Taken
April 15, 2009
Media Contact:
Media contacts:
Janet Brumfield, +1 614 723 1060
Junaidah Dahlan, +65 6248 6827
Clare Ward, +44 118 905 3501
BASKING RIDGE, N.J. - More electronic records were breached in 2008
than the previous four years combined, fueled by a targeting of the
financial services industry and a strong involvement of organized
crime, according to the "2009 Verizon Business Data Breach
Investigations Report" (DBIR) released Wednesday (April 15).
This second annual study -- based on data analyzed from Verizon
Business' actual caseload comprising 285 million compromised records
from 90 confirmed breaches -- revealed that corporations fell victim
to some of the largest cybercrimes ever during 2008. The financial
sector accounted for 93 percent of all such records compromised last
year, and a staggering 90 percent of these records involved groups
identified by law enforcement as engaged in organized crime.
Verizon Business investigative experts found, as they did in the
company's first report covering 230 million compromised records from
2004 to 2007, that nearly nine out of 10 breaches were considered
avoidable if security basics had been followed. Most of the breaches
investigated did not require difficult or expensive preventive
controls. The 2009 report concluded that mistakes and oversight
failures hindered security efforts more than a lack of resources at
the time of the breach.
Similar to the first study's findings, the latest study found that
highly sophisticated attacks account for only 17 percent of
breaches. However, these relatively few cases accounted for 95
percent of the total records breached - proving that motivated
hackers know where and what to target.
"The compromise of sensitive information increased dramatically in
2008, and it's past time to be vigilant about enterprise security,"
said Dr. Peter Tippett, vice president of research and intelligence
for Verizon Business Security Solutions. "This report should serve as
another wake-up call that good security and a proactive approach are
paramount to running a business in this day and age -- particularly
since the economic crisis is likely to trigger a further increase in
criminal activity."
(NOTE: To view a social media release that includes related online
resources such as video and audio podcasts, visit:
http://www.verizonbusiness.com/about/news/displaynews.xml?newsid=25282&mode=vzlong.)
High-resolution charts and graphs supporting the data breach report
are available at:
http://www.newscom.com/cgi-bin/prnh/20090415/NYW002-a
http://www.newscom.com/cgi-bin/prnh/20090415/NYW002-b
http://www.newscom.com/cgi-bin/prnh/20090415/NYW002-c
Key Findings of the 2009 Report
This year's key findings both support last year's conclusions and
provide new insights. These include:
Most data breaches investigated were caused by external
sources. Seventy-four percent of breaches resulted from external
sources, while 32 percent were linked to business partners. Only 20
percent were caused by insiders, a finding that may be contrary to
certain widely held beliefs.
Most breaches resulted from a combination of events rather than a
single action. Sixty-four percent of breaches were attributed to
hackers who used a combination of methods. In most successful
breaches, the attacker exploited some mistake committed by the
victim, hacked into the network, and installed malware on a system to
collect data.
In 69 percent of cases, the breach was discovered by third
parties. The ability to detect a data breach when it occurs remains
a huge stumbling block for most organizations. Whether the deficiency
lies in technology or process, the result is the same. During the
last five years, relatively few victims have discovered their own breaches.
Nearly all records compromised in 2008 were from online assets.
Despite widespread concern over desktops, mobile devices, portable
media and the like, 99 percent of all breached records were
compromised from servers and applications.
Roughly 20 percent of 2008 cases involved more than one
breach. Multiple distinct entities or locations were individually
compromised as part of a single case, and remarkably, half of the
breaches consisted of interrelated incidents often caused by the same
individuals.
Being PCI-compliant is critically important. A staggering 81 percent
of affected organizations subject to the Payment Card Industry Data
Security Standard (PCI-DSS) had been found non-compliant prior to
being breached.
The State of Cybercrime: 2009
As the cybercrime market continues to evolve, so do the targets,
techniques and types of attackers. The big money is now in stealing
personal identification number (PIN) information together with
associated credit and debit accounts. In 2008, Verizon Business
witnessed an explosion of attacks targeting PIN data.
These PIN-based attacks hit the consumer much harder than typical
signature-based counterfeit attacks in which a consumer's credit card
is compromised. Investigators found that PIN fraud typically leads
to cash being withdrawn directly from the consumer's account --
whether it is a checking, savings or brokerage account -- placing a
greater burden on the consumer to prove that transactions are fraudulent.
The higher monetary value commanded by PIN data has spawned a cycle
of innovation in attack methodologies. Criminals have re-engineered
their processes and developed new tools, such as memory-scraping
malware, to steal this valuable commodity.
The geographic distribution of external data breach sources continue
to show high activity in Eastern Europe, East Asia and North
America. In fact, the 2009 report shows that these regions accounted
for 82 percent of all external attacks.
Among investigators, Tippett pointed out, "Eastern Europe is known as
a notorious haven for organized cybercrime outfits, which played a
major role in breaches throughout 2008."
"We have a great deal of evidence that malicious activity from
Eastern Europe is the work of organized crime," he said. However, he
added, "On the bright sight, efforts with law enforcement led to
arrests in at least 15 cases (and counting) in 2008."
Financial Services Sees Biggest Increase of Any Industry
As was the case from 2004 to 2007, data breaches investigated in 2008
affected a wide array of organizations. While the retail industry
continues to be the most frequently targeted, accounting for a third
of all cases, the biggest rise was in financial services, which more
than doubled its share to 30 percent. But more importantly, the
financial sector accounted for more than nine out of 10 of the more
than 285 million records compromised.
The increase in data breaches in the financial sector reflects the
recent trends in cybercriminal activity, especially the focus on
acquiring PINs to sell them on the black market. Said Tippett, "The
financial services firms were singled out and fell victim to some
very determined, very sophisticated and, unfortunately, very
successful attacks in 2008."
Food and beverage establishments, the second most frequently hit
industry in the first report, dropped to third place in 2008 with its
share falling from 20 percent to 14 percent.
The number of investigations handled by the Verizon Business
investigative response team outside the United States rose to more
than one-third of its caseload in 2008. In addition to breaches
requiring extensive investigations across the United States, many
breaches hit organizations in Canada and Europe, while casework
continued to increase in Brazil, Indonesia, the Philippines, Japan
and Australia. Assuming attackers continue to pursue soft targets
internationally, concern in emerging economies can be expected to
rise as well, especially with respect to consumer data.
Tippett said, "Our task is not getting any easier; the sum total of
information in the world grows continually and permeates everything
we do and everywhere we go. While the majority of attacks remain
rather mundane, the criminals are adapting to our current protection
strategies and inventing new ways to attain the data they value."
Recommendations for Enterprises
The 2009 study again shows that simple actions, when done diligently
and continually, can reap big benefits. Based on the combined
findings of nearly 600 breaches involving more than a half-billion
compromised records from 2004 to 2008, the Verizon Business RISK team
recommends:
Change Default Credentials. More criminals breached corporate assets
through default credentials than any other single method in
2008. Therefore, it's important to change user names and passwords
on a regular basis, and to make sure any third-party vendors do so as well.
Avoid Shared Credentials. Along with changing default credentials,
organizations should ensure that passwords are unique and not shared
among users or used on different systems. This was especially
problematic for assets managed by a third party.
Review User Accounts. Years of experience suggest that organizations
review user accounts on a regular basis. The review should consist of
a formal process to confirm that active accounts are valid,
necessary, properly configured and given appropriate privileges.
Employ Application Testing and Code Review. SQL injection attacks,
cross-site scripting, authentication bypass and exploitation of
session variables contributed to nearly half of the cases
investigated that involved hacking. Web-application testing has never
been more important.
Patch Comprehensively. All hacking and malware that exploited a
vulnerability to compromise data were six months old, or older --
meaning that patching quickly isn't the answer, but patching
completely and diligently is.
Assure HR Uses Effective Termination Procedures. The credentials of
recently terminated employees were used to carry out security
compromises in several of the insider cases this year. Businesses
should make sure formal and comprehensive employee-termination
procedures are in place for disabling user accounts and removal of
all access permissions.
Enable Application Logs and Monitor. Attacks are moving up the
computing structure to the application layer. Organizations should
have a standard log-review policy that requires an organization to
review such data beyond network, operating system and firewall logs
to include remote access services, Web applications, databases and
other critical applications.
Define "Suspicious" and "Anomalous" (then look for whatever "it" is).
The increasingly targeted and sophisticated attacks often occur to
organizations storing large quantities of data valued by the criminal
community. Organizations should be prepared to defend against and
detect very determined, well-funded, skilled and targeted attacks.
Tippett concluded, "This report clearly shows it's not about clever
or complex security protection measures. It really boils down to
ensuring the basics are met from planning to implementation to
monitoring of the data."
A complete copy of the "2009 Data Breach Investigations Report" is
available at
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf.
About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE: VZ), is a
global leader in communications and IT solutions. We combine
professional expertise with the world's most connected IP network to
deliver award-winning communications, IT, information security and
network solutions. We securely connect today's extended enterprises
of widespread and mobile customers, partners, suppliers and employees
- enabling them to increase productivity and efficiency and help
preserve the environment. Many of the world's largest businesses and
governments - including 96 percent of the Fortune 1000 and thousands
of government agencies and educational institutions - rely on our
professional and managed services and network technologies to
accelerate their business. Find out more at www.verizonbusiness.com
####
----------------------------------------------------------------------------------------------------
James M. Atkinson Phone: (978) 546-3803
Granite Island Group Fax: (978) 546-9467
127 Eastern Avenue #291 Web:
http://www.tscm.com/
Gloucester, MA 01931-8008 E-mail: mailto:jm..._at_tscm.com
----------------------------------------------------------------------------------------------------
No enterprise is more likely to succeed than one concealed from the
enemy until it is ripe for execution. - Machiavelli, The Prince, 1521
Received on Sat Mar 02 2024 - 00:57:19 CST