A study conducted by the Verizon RISK Team with

cooperation from the Australian Federal Police,

2012 Data Breach

Investigations Report

Dutch National High Tech Crime Unit, Irish Reporting

& Information Security Service, Police Central

e-Crime Unit of the London Metropolitan Police, and

United States Secret Service.

PROPRIETARY STATEMENTThis document and any attached materials are the sole property of Verizon and are not to be used by you other than to

evaluate Verizon’s service.

This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout

your organization to employees without a need for this information or to any third parties without the express written

permission of Verizon.

© 2012 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos,

and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 2

and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and

service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other

trademarks and service marks are the property of their respective owners.

Data Breach Investigations Report (DBIR) series

An ongoing study into the world of

cybercrime that analyzes forensic

evidence to uncover how sensitive

data is stolen from organizations,

who’s doing it, why they’re doing it,

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3

who’s doing it, why they’re doing it,

and, of course, what might be done

to prevent it.

--

Available at: www.verizon.com/enterprise/databreach

Updates/Commentary:

http://www.verizon.com/enterprise/securityblog

Hold on… Wha???Why is my telco investigating breaches?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4

RISK Team: More than an acronym

RResearchesearchUncover the who, what, when, how and why behind computer

security incidents.

IInvestigationsnvestigationsStudy and understand the ever-changing risk and threat

environment. It all starts here.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5

The RISK Team = Risk Intel + Investigative Response + eDiscovery

SSolutionsolutionsLeverage lessons learned from “R” and “I” to create new

products and enhance our existing portfolio.

KKnowledgenowledgeCultivate and disseminate our information resources to make

our people, products, and brand smarter than the competition.

Investigative Response Team Global Reach

London

LeuvenSLC

Amsterdam

NYCNJ

Chicago

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6

Investigative Response

PS Area of Expertise

Lab / Protected Storage

Escalation Hotline (SOCs)

Sydney

Hong Kong

Melbourne

LADallas

NJ

DC / VA / PALas

VegasTampa Tokyo

Singapore

Canberra

Barcelona

Dubai

2012 DBIR Contributors

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7

Methodology: Data Collection and Analysis

• DBIR participants use the

Verizon Enterprise Risk and

Incident Sharing (VERIS)

framework to collect and

share data.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8

• Enables case data to be

shared anonymously to

RISK Team for analysis

VERIS is a (open and free) set of metrics designed to provide a

common language for describing security incidents (or threats) in a

structured and repeatable manner.

VERIS: https://verisframework.wiki.zoho.com/

2012 DBIR Process

VERIS

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9

2012 DBIR

Unpacking the 2012 DBIR

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10

Unpacking the 2012 DBIR

Threat Agents

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11

Threat Agents: Larger Orgs

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12

Threat Agents

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13

Threat Agents: External

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14

Threat Actions

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15

Threat Actions: Larger Orgs

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16

Top Threat Actions

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17

Top Threat Actions: Larger Orgs

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18

Compromised Assets

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 19

Most Compromised Assets

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 20

Asset Ownership, Hosting, and Management

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21

Compromised Data

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22

Smaller Orgs

Attack Targeting

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 23

Case Study: The 3-Day Workweek

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24

Timespan of Events

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25

Timespan of events: Larger Orgs

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26

Breach Discovery

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 27

Breach Discovery

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29

Recommendations: Smaller Orgs

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 30

Recommendations: Larger Orgs

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 32

DBIR: www.verizon.com/enterprise/databreach

VERIS: https://verisframework.wiki.zoho.com/

Blog: http://www.verizon.com/enterprise/securityblog

Email: dbir@verizon.com

2012 DBIR Puzzle

“email 8trak 2dbir”

• Gold: David Schuetz aka Darth Null

• Silver: Joeri de Gram

• Bronze: John Sullivan

• Fourth place missed out by 39 minutes for the second year in a

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33

• Fourth place missed out by 39 minutes for the second year in a

row ����

• 14 steps to win (with no goofs)

• Favourite parts

– Grille cipher

– Chuck Testa (look it up on YouTube)

http://darthnull.org/2012/03/28/2012-verizon-dbir-cover-challenge/