LAS VEGAS -- Highly anticipated data released today by Verizon Business shows the number of insider breaches is rising, caused largely by malicious insiders who collude with cybercriminals, granting them access to critical systems.
The 2010 Verizon Data Breach Investigations report, released on the eve of Black Hat 2010, found that stolen credentials have become the most common way attackers gain access to enterprises. But the credentials were rarely stolen using sophisticated methods. Instead, malicious insiders were involved in 48% of cases -- a 26% increase vs. last year -- and in some cases, freely revealed their administrative passwords, enabling attackers easy access to sensitive data, said Bryan Sartin, director of the Verizon Business Investigative Response team.
"Criminals have learned that the old hacking method to introduce malcode using crimeware to extract data has a downside to it," Sartin said. "It leaves behind the footprint and the good guys are getting better at finding that footprint."
For the first time since the Verizon data breach report was first published in 2008, Verizon Business used additional data breach case information from the U.S. Secret Service. Sartin said the cases examined for the report spanned six years and included nearly 900 individual data breach cases and 900 million compromised records. While malicious insiders were on the rise in 2009, Sartin said most breaches (85%) involved organized cybercriminal groups.
"Inside jobs are the easiest cases to solve because we can almost always trace [the crime] back to the employee," Sartin said. "In many cases, the employee who thought they would get paid can't even identify the person who promised them money for their services."
External attackers were behind 70% of breaches -- a 9% decline from last year's report -- using password-gathering malware like the Zeus Trojan, phishing and SQL injection to steal credentials and gain access to an enterprise's systems. Web application vulnerabilities continue to be the attack vector of choice, according to the report, which covers the 2009 calendar year.
Breaches involving business partners accounted for only 11% of breaches, according to Verizon Business. In addition, Sartin said, 40% of all breaches were the result of hacking, and 28% were due to social tactics.
Sartin said that for the first time, the overall number of data breaches declined in 2009. While the decline could be attributed to Verizon taking on fewer data breach cases, the market for stolen data is saturated, Sartin said, making the black market business of buying and selling stolen data less lucrative. While the study indicated that at one time stolen records sold for up to $15 each, credit card data, the most sought after stolen data, has dropped to about 20 cents a record, Sartin said.
"Intellectual property is gaining more attention than payment cards," Sartin said.
Verizon said it could not detect a single data breach case in which attackers exploited a patchable vulnerability. SQL injection, stolen credentials and backdoors exploit problems that can't readily be patched, Sartin said. Enterprises would be better off leveling their patching strategies, he said, and instead focusing on code review and configuration management.
"Neither Verizon nor the Secret Service have credible evidence of a single patchable vulnerability being exploited in a data breach case," Sartin said. "It's the same easily identifiable exposures that are being targeted and can be identified with basic vulnerability scanning."