What Does Verizon’s 2011 DBIR Mean to Your Enterprise?

Sunday, July 24, 2011

Robb Reck


What does Verizon’s 2011 DBIR mean to your enterprise?

A few weeks ago we looked at Trustwave’s 2011 Global Security Report. This week I want to point out a few of the critical points in Verizon’s 2011 Data Breach report.

I want to start by saying that these lessons are not easy, but they are simple. It’s not easy to ensure that every system in your environment is accounted for, and you know what data is being held where.

But it is simple; to ensure that your systems are being properly secured you must know what and where they are. It’s not easy to go through every system in our environment and ensure that remote administration is turned off where it can be and closely monitored where it cannot, but it is simple; if you don’t know where the doors into your data are, you can’t defend them.

Our job in information security is not easy, but it is simple. It’s our job as information security practitioners to take the simple requirements (understand your environment, enforce least privilege) and turn them into practical, tactical game plans that our teams can implement.

With that out of the way, let’s take a look at a few of the interesting findings from Verizon’s report.

  • Verizon found a dramatic drop in the number of records compromised this year. 2008: 361m, 2009: 144m, 2010: 4m. At this pace we should expect to see the criminals not steal any records in 2011, but actually give back a 100 million or so. What’s really happening here is probably that the criminals are becoming much more discerning in their targets. As the black market value of PII goes down (due to oversupply) there’s less incentive to find that data. So criminals are now focusing their efforts on the less plentiful, but more valuable data. Trade secrets, military intelligence, confidential information… those are where the money is. I believe that criminals will focus less on large smash and grab campaigns looking for large caches of user info, and more on silent attacks where they seek to gather corporate, government and military information for larger political or financial impact.
As the value for PII goes down criminals focus more on high value corporate, government and military secrets
  • 49% of breaches incorporated the use of malware. Trustwave’s report showed 76% of attacks involved malware. The message between these two reports is pretty clear, a very significant number of attacks are perpetrated using malicious software as a jumping off point. This may be a Trojan designed to spread as far as possible on the internet (think Zeus), or it could be a carefully crafted application designed to infiltrate one company (think Google’s China hack). In either case it’s more important now than ever follow safe browsing guidelines and avoid connecting potentially compromised machines into protected networks.
  • Last year I commented on external threats being higher than anticipated (where it was 70% of attacks in 2010) and this year it’s dramatically higher. A full 92% of attacks stemmed from external agents. It may be time for us in information security to consider anew where to allocate our resources. Is it heresy to suggest that spending more time and money on external penetration testing and less on internal security awareness training? I’m not sure what the right balance is, but apparently it’s those outsiders who are once again our biggest threat.
  • 83% of victims were targets of opportunity. It goes back to the old idea that your house doesn’t need to be totally secure, just more secure than your neighbors’ houses. Or as the joke goes something like this...
Two men are walking in a forest. They see a bear with children, so they start running, and the bear follows them. One man stops and starts putting on running shoes. The other guy asks him: "Do you really think that running shoes will make you run faster than the bear?" and the first guy answers "No, but it should make me faster than you!"  
  • 89% of victims that were supposed to be PCI-DSS compliant were not. Last year this number was 79%. Combine this with the fact that most of the victims were targets of opportunity, and the message is very clear: Spend the time and money to meet a minimum baseline of security and your odds of being breached go down drastically.

The reality of the business world is the truth of resource scarcity. We simply can’t afford to continue doing all of the security measures we’ve done in the past, and keep adding on more and more new ones. The administrative, licensing and maintenance load becomes unbearable. Something has to give. By studying these kinds of reports over years, and finding where the real threats exist we can consider which new technologies make sense to add, and which old safeguards might not be worth their expense now.

Thanks again to the team at Verizon for sharing this excellent data with the community at large. We are in your debt.  

Cross-posted from Enterprise InfoSec Blog from Robb Reck.

Possibly Related Articles:
Enterprise Security
Information Security
PCI DSS malware Verizon Network Security Monitoring DBIR Trustwave
Post Rating I Like this!
Wim Remes Disclaimer : I'm not affiliated with Verizon. Whatever I write here is my personal opinion.

I think what you suggest here is dangerous and erodes the value of the Verizon DBIR in and of itself. You single out specific details from the report to support a case ... but the case remains murky and ill-conceived.

Verizon, in it's communication around the DBIR, makes it very clear that the report is best read as a narrative around the data gathered from the specific caseload handled by Verizon incident handlers and the secret service. It does not, as far as I understand, provide a view on the *state of things* in general.

Debunking your analysis point by point ... I will try :

1. You assume that the criminals stealing PII are the same criminals stealing corporate secrets. I argue that these are completely different threat populations. The recent events have made clear that, if Verizon is involved in all or any of these cases, the # of records will rise significantly again. Allthough they might drop if Verizon is not involved in these cases. You forget to mention this, the DBIR does not cover all cases, only the Verizon cases.

2. you compare two %'s without mentioning the sample size 49% of 10 or 49% of 100,000 ? It's a difference.

3. Verizon uses VERIS (look it up). It is entirely possible to include multiple threat agents. For instance an external perpetrator sending a crafted e-mail with infected PDF file to a selected internal employee. Your reasoning falls apart.

4. How does this not contradict point 1? You should protect your most important data, but just enough so your neighbour gets slammed instead of you? What is secure enough? PCI compliant (just like your neighbour) or wait ... that's next.

5. Those that were *hacked* were compliant until they were reviewed after the hack. I think this is exactly where our industry is failing. We are makingmoney while not caring for security AT ALL. Someone reviewed those customers, someone charged top dollar to make them feel secure (by adhering to a failing set of rules composed as an insurance to other organizations) and still they got their asses owned. THEY WERE COMPLIANT, how would meeting another compliance framework havereduced their odds???

I only agree that the Verizon DBIR is a must-read for anyone in the industry. They do top work, it's a pity that half-assed analysises drain the value from what the DBIR really is.

Robb Reck Well, at least we can agree that the report is worth reading.

I'm not sure what bias you think I have here, and what "case" I am trying to support. I am simply writing about the things I found interesting from the VDBIR, and the conclusions I draw from it. Disagreeing is healthy and worthwhile, though I could wish for the disagreement to be a bit more politely expressed.
Wim Remes I just said your conclusions are mostly wrong. I know I can be more polite, but circumstances forced me to deliver it a little cruder than intended. My apologies for that.

There were also some questions in my post...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.