Verizon Data Breach Report“Know Your Enemy” EditionOriginally prepared for InfraGardHonolulu ChapterMay 3, 2011
Beau Monday, CISSP GSEC
Information Security Officer @ HawaiianTel
Disclosures
• Hawaiian Telcom was a subsidiary of Verizon at one point, but was sold to private investors in 2005.
• This review focuses primarily on the threat side of the equation.
2
3
History
• 4th year of public releases– Starting in 2008– 6 total reports (mid-year
supplementals in 2008 and 2009)
• Dataset now contains:– 7 years of data– 1700+ breaches– 900M compromised
records
Data Sources
• Verizon Caseload (94 breaches in 2010)– Only cases where Verizon was directly engaged as an
investigator and a breach was confirmed
• US Secret Service (667 breaches in 2010)– Verizon reviewed USSS’ caseload and only included cases
that matched Verizon’s criteria for a breach– If Verizon and USSS both worked on an individual case,
Verizon’s data was referenced for the report
• Dutch National High-Tech Crime Unit (30 cases spanning several years)
4
Things to keep in mind
• The addition of the USSS and Dutch NHTCU data has nearly doubled the size of the dataset from last year
• Comparing year-to-year data can be challenging as a result (as you will see)
5
Demographics – by Sector
6
Demographics – by Org Size
• Large companies catching a break?
• Shift towards SMBs?
7
Threat Agents
• Attacks via partners down from 10% to <1% (!)
• Attacks via insiders down from 48% to 17% (!)
8
Threat Agent Trends
• Insider threats have declined, but not by as much as the first graph indicated
9
Who are the (external) bad guys?
• Eastern Europe takes a commanding lead
10
Who are the (internal) bad guys?
• Quite a jump in regular users (was 51% last year)
• % of breaches involving Finance staff doubled
• % of breaches involving executives increased from 7% to 11%
11
Threat Categories
• Malware was %1 last year, but dropped to 4th in 2010
• Physical doubled as a % of breaches
12
Malware
13
Malware Customization
14
Hacking Methodologies
15
Attack Pathways
16
Social Engineering Trends• 11% of breaches employed some level of social engineering (down from 28% last year)
17
Physical Attacks• Physical attacks are twice as prevalent versus last year• ATM and Gas Pump skimmers represent the bulk of
this increase
18
Recommendations
• Overall: “Achieve essential, then worry about excellent”
19
Recommendations (cont.)
• Access Controls– Change default creds– Review user accounts often– Restrict and monitor privileged accounts
• Network Management– (Catalog and) Secure Remote Access
Services– Monitor and filter egress traffic
20
Recommendations (cont.)
• Secure Development– Application testing and code review
• Log Management and Analysis– Enable application and network logs (and
monitor them)– Define “anomalous” and then look for it– Try to achieve real-time log
monitoring/alerting
21
Recommendations (cont.)
• Incident Management– Create an Incident Response Plan– Engage in mock incident drills
• Training and Awareness– Increase awareness of social engineering– Train employees to look for signs of
tampering and fraud
22
References & Contact Info
• References:– Verizon Data Breach Investigations Report 2011:
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
– Verizon DBIR 2011 – Metrics, Interpretations and Action Plans: http://www.dman.com/verizon-data-breach-investigations-report-2011/
Contact me: [email protected]
23