Attackers are refining the way they hack into enterprises, shifting to smaller targets with fewer security defenses. It’s a move that is driving down the number of records compromised to an all-time low, according to the latest information disclosed in the Verizon 2011 Data Breach Investigations Report.
You find that no one was really responsible for security and a lot of times you find systems that are just running in their default states.
Bryan Sartin, director of investigative response, Verizon
The number of compromised records dropped significantly, from a high of 361 million records in 2008, to just 4 million records in 2010, according to the Verizon data breach report 2011 edition, issued Tuesday. The study, which security experts say has become the industry’s most reliable source for metrics on breach investigations, is the largest of its kind. It examined 923 unique cases, spanning more than six years of investigations by Verizon, the U.S. Secret Service and the Dutch National High Tech Crime Unit, which offered data on attacks in Europe.
The figures suggest that cybercriminals have been driven to change their tactics, said Bryan Sartin, director of investigative response at Verizon. Stolen credit card data, which has been the de-facto currency among cybercriminals, flooded the market and dropped precipitously, Sartin said.
Meanwhile, he said the value of authentication records, such as usernames and passwords, has risen dramatically. Credentials to gain access to government systems can fetch as much as $30,000 on the black market. In addition, company proprietary data—including intellectual property, sales contacts and other sensitive data—is becoming more valuable.
“When it comes to targets, [attackers] don’t really pursue elephants like they used to; they now go after rabbits,” Sartin said. “Criminals realize that when you are hacking into large companies these days there is enough security evolution that their actions tend to leave a footprint behind and that footprint leads to prosecution.”
The study found that nearly all of all data breaches investigated by the organizations in 2010 involved an external attacker, while the number of breaches involving insider activity reached a near all-time low. Ultimately, the attackers are stealing user credentials to gain access, Sartin said, hacking into the network and installing malware to compromise the confidentiality and integrity of servers.
The Verizon figures show attackers continuing to pick the low-hanging fruit: Most of last year’s attacks were relatively unsophisticated and most victims were targets of opportunity.
The report shows little bias, Sartin said, and the results are strikingly similar among the three organizations that contributed data. Half of all data breach cases involved some form of hacking and 49% incorporated some form of malware, an 11% increase over figures gathered in 2009.
Fifty-eight percent of attacks were traced to an organized criminal group, while 40% of data breach cases involved individuals, which Sartin said may indicate that automated attack tools are easier to obtain and use than ever before. Attacks are also becoming more automated and repeatable. At least 140 breaches investigated in 2010 were tied to a single individual using the same methods each time. Although the report only reports on 2010 data, Verizon said several hundred more have been discovered and linked to the same individual in 2011.
Get the latest on the 2012 Verizon DBIR
The 2012 DBIR highlights prevalent problems with simple, relatively inexpensive recommendations.
The Verizon DBIR says hacktivists conduct opportunistic attacks targeting mainly large businesses using tactics akin to a smash-and-grab burglary, stealing any data they can access.
Weak and default passwords are at the root of many data security breaches investigated by Verizon in 2011.
The number of countries contributing to the 2012 DBIR increased as three more nations added information about breaches.
The smaller, targeted attacks are more difficult to trace than broad attacks because attackers often use stolen usernames and passwords for the point of entry, Sartin said. While attacks are getting smaller, they often involve the franchisees of big brands, he added. The hospitality industry made up 40% of all the breaches investigated by the organizations, retail accounted for 25% of data breach cases and financial services consisted of 22% of investigated breaches.
“We are seeing more of a bias [toward] companies between 1 to 100 employees being targeted right now than we’ve ever seen before,” Sartin said, adding that it typically takes smaller businesses longer to discover a breach—as much as six months from the point of entry to the point of awareness—giving attackers time to clean up their tracks. An example would be the recent attack against Boston-based restaurant chain Briar Group. Malware on the Briar Group’s restaurant systems remained there for eight months before it was removed. In addition, smaller businesses have limited to no log information for computer forensics investigators and many have no intrusion detection or prevention systems.
“Security is not what they do and often times they even outsource their IT function outright,” Sartin said. “You find that no one was really responsible for security and a lot of times you find systems that are just running in their default states.”
Nearly all the breached organizations fell under the Payment Card Industry Data Security Standards (PCI DSS). Investigators found 89% of the organizations failed to be compliant at the time of the breach.
Meanwhile, PCI may be fueling the increase in stolen intellectual property, according to Sartin. He said opportunistic attackers often ignore consumer data when they find payment systems and credit card data on isolated networks and under lock and key.
“Nine times out of 10, only a company’s payment card data falls under an external compliance mandate, and that data tends to be locked down and encrypted and [enterprises] maintain accountability of who accesses it and when,” Sartin said. “When data breaches occur at those enterprises, the other information types that are there are, by comparison, reasonably unprotected and unaccounted for.”