Friday, June 13, 2008

Verizon 500 breach report

Verizon has published a study of 500 investigations over the last 4 years. There are some obvious flaws (pie charts are never a good sign), but it's got a lot of useful content. The industry is full of misconceptions because people don't pay attention to what's really going on out there. This report has data the answers a lot of questions.

Misconception: "the standard way to take control of someone else's computer is by exploiting a vulnerability in a software program on it"
Verizon data: Only 15% of breeches where from hacking software vulnerabilities.

Misconception: Hackers target their victims.
Verizon data: 85% of attacks were "opportunistic", the hackers didn't know who their victims were until after they broke in.

Misconception: Certified anti-virus products detect over 99% of all viruses.
Verizon data: 25% of viruses/malware were customized to their victims and undetectable with standard anti-virus.

Misconception: Hackers are smart, clever, geniuses, wizards, etc.
Verizon data: 55% where of attacks required essentially no skills, the level of "script kiddies" running automated tools. Only 17% required "advanced" skills.

Misconception: It's the insider threat. No, wait, it's outsiders. No, I mean, it's the partners.
Verizon data: 73% external, 18% internal, 39% partners. However, external breaches tended to be minor, whereas internal and partner breeches were major. Their numbers show that all three are important threats and that it's hard to measure which one is worse.

Misconception: Numbers are definitive.
Verizon data: These numbers are bit subjective. For example, they notice that "physical breaches" were rare, but that's because Verizon wouldn't be called in to investigate a physical breach.

Question: What are hackers after?
Verizon data: Credit Card data (84%), Personal identity (32%), Username/passwords (15%)

Question: How old are the vulnerability exploits hackers use?
Verizon data: 71% older than 1-year, another 19% older than 6 months.


Nathan Keltner said...

Why are the sum of the percentages often greater than 100%?

Additionally, as internal breaches often go unreported, I would assume their data regarding internal vs. external threats is problematic.

Ryan said...

The two sums that are greater than 100% are the weather the attacks were internal external and partner and what type of information the hackers were after in which case the hackers were probably after multiple pieces of information and the attacks could have been included in both external and partner.

Benjamin Wright said...

Robert: The Verizon study spotlights an important topic for debate. Legally speaking, what is "reasonable security?" FTC punished TJX for not having it, but I argue FTC was wrong. Verizon says 9 of 10 data breaches could have been avoided if "reasonable security" were present. That implies 9 in 10 breach victims were in violation of law. The study's outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates if reasonable security could have prevented a break-in, it does so with benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is "an extremely complex challenge." In other words, the sheer problem of locating data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon's reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. What do you think? --Ben