To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
As Forrest Gump said, "Stupid is as stupid does." The 2009 Verizon Business data breach investigation report confirmed what the 2008 report revealed -- attackers usually gain a foothold through stupid, basic errors.
"In virtually all the cases, we found that lots of the things that were simple and straightforward, had they been deployed, would have stopped the attack," said Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. "Simple things like changing the password from the word "password" on the system, those basic errors were somewhere, endlessly; they were everywhere."
In fact, the 2009 Verizon Business Data Breach Investigations Report showed that 67% of the 90 confirmed data breaches that Verizon investigated last year revealed that kind of error, usually on a third-party system, often tangential to the heart of the enterprise. But they open the door to the good stuff: thousands or even millions of customer records.
Is insider activity or outsider activity a bigger enterprise threat? According to Verizon's 2008 Data Breach Investigations Report, outsider activity is much more likely to be the cause of a data breach than insider activity.
Data breaches caused by employee errors, process failures: A study released by Verizon Business investigative unit found that employee errors are a contributing factor in nearly all data breaches.
Most of the damage was against a handful of financial institutions. Financials accounted for 93% of the 285 million compromised records -- more than the four years worth of investigations covered in the 2008 report combined. About a dozen huge breaches accounted for the preponderance, according to Tippett.
The increase in data breaches in financial services reflects cybercrime trends, especially the huge jump in the number of attacks targeting PINs and associated credit card and debit account data last year, according to Verizon.
The report also belied the common perception that the biggest data loss threat comes from insiders. External-only breaches accounted for about 267 million of the 285 million compromised records. Three quarters of the breaches were from external sources, while only one in five were internal.
Most of the insider incidents were the result of employees who were unwittingly exploited by outside attackers through error and/or policy violation. Only 11% were insider-only breaches, resulting in only a little over a million stolen records.
The report breaks attacks into two broad categories: fully targeted and opportunistic. In fully targeted attacks, the victim organization was chosen as the target, and the attackers set out to find a way to exploit them.
"Opportunistic" attacks come in two subcategories. In directed, opportunistic attacks, the target is chosen because they have a known weakness that can be exploited. In random opportunistic attacks, the attackers discover a weakness through, say, a scan of large address spaces, and then exploit it.
Alarmingly, 85% of the 285 million records breached were harvested by custom software designed to circumvent the particular victim's defenses. In some cases, existing malware was repacked to evade antivirus signatures, modified for additional functionality or tailored to the victim's environment.
But, most commonly, the malware appeared to be written from scratch to exploit a specific victim organization.
"Targeting is up," said Tippett. "The four years before, almost all that were targeted were targeted by employees. This year, the amount targeted externally was up beyond that by insiders. In particular, the larger attacks were mostly targeted."
Enterprises were slow to discover the breaches -- typically it took a month while the bad guys continued to harvest data. In most cases, third parties reported the problem as they saw it, for example, a pattern of suspicious credit card activity.
The message is clear. Most data breaches are external, and the biggest, baddest attacks are executed by highly skilled criminals who are determined to reap as much data as they can from treasure troves of customer information.