Verizon Offers Mid-Year Report On Security Breaches

Verizon business has released a mid-year supplement to its Data Breach Report, providing details on 15 categories of attacks and exploits that its internal security teams say are the most prevalent. In addition, the report provides details on how the common attacks tend to act in operation and tips on mitigating the risks of these threats. The fifteen categories are:

Bryan Sartin, director of investigative response and head of the forensics team at Verizon, says that the supplement is the result of feedback from the security professionals and managers who read the annual report on data breaches. He says, "Our blog helps us pick up information from the public, and we also get information from our customers. Our feedback from the '09 report had some common themes. One of the most common things was that people needed more narrative. They love the statistics and narratives, but people wanted the case studies, the prose about what we found."

More than just stories, though, the readers wanted highly-targeted information that would be directly useful in their work. "IT people seem to want a 'silver bullet' where they have something to take to a non-technical manager to help them understand the importance of this security thing," he says. Another issue that readers wanted addressed was a perceived bias about Verizon's reports that insider threats are less of a problem than other security groups claim. The authors explain the problem primarily in terms of how breaches are classified by Verizon versus other groups. Many public disclosures, for instance, don't include the source  of the breach on the initial report.

Sartin uses key-loggers as an example of the kind of information the report contains. For key-loggers, Verizon had details, the industries most hit, the percentage of their case load that consisted of key-logger exploits and ways that organizations can detect the presence of key-loggers in the environment. They also give mitigators ways that the organization can deal with each threat type. Sartin says, "One of the best parts of this is that we hope readers can take the example and bring it to one of their managers and say 'here's a company that looks like us, and they had a breach, and if you look at the key indicators and mitigators, they're set up like we are, so we need to be more active.'"

The second part of the study deals more explicitly with the bias question. Verizon compared its records to those of datalossdb.org. Verizon's forensics teams also worked with datalossdb to compare the data sets developed by each group. Ultimately, they decided to include a separate Appendix to explicitly compare the observations of each organization. According to Sartin, once a reader begins looking carefully at each report, the reasons behind any perceived differences become clear. "You can see that we have a fundamentally different orientation than they do. They look at things like devices lost, where we verify data loss from intrusions and things like that. If you take away the "at risk" categories from their data you can see that there aren't a ton of difference except in a few areas," he says.Sartin says that it's easy to see where the differences between the different reports lie. "The big delta is in partner breaches, which we see a lot, but is rarely admitted to in public disclosures. We do have a series of recommendations for the things we show, including a common taxonomy for breaches that are made public. Making this public according to a common framework could be helpful, and we're considering doing that internally, to have a common framework for the things we report to the public and to law enforcement," he says.

When readers look at the new report, the biggest surprise they're likely to find is that it's all about evolution in cyber-crime. Sartin says, "Organized crime doesn't need sophisticated techniques, the data is there for the taking. Every company, no matter how big or small, gets hit by the same basic five or six threats." In response to the feedback from readers, Verizon has tried to summarize the recommendations in the report. One of the key recommendations in the report is that successful security is not about sophisticated attacks and zero-day vulnerabilities. Instead, they recommend that administrators focus on the essentials. Once those are taken care of, then staff can move to the more sophisticated attacks and how to stop them.  Sartin says that one of their critical recommendations is that people actually look at the data they have. It's like the way a firewall works: the easiest way to do things is to kill one side of the conversation. Someone has to break in and then get data out. Sartin says, "If you can learn a lesson from the people who have been breached, it's to look at what's going on and recognizing it and shutting it down before it becomes a data loss."

The reason for the report's importance is clear. The typical time between initial intrusion and data loss is seven months, and most companies don't recognize it until a partner or bank calls them to say that there's a problem. A staff that's aware of the potential breaches and has designed responses to mitigate their risks is well ahead of the problem-solving curve.