Script kiddies take over from criminal 'masterminds': Verizon study

Data breaches nearly doubled last year compared to the previous year but the number of stolen records dropped from 144 million in 2009 to four million last year, according to the 2011 Verizon Data Breach Investigations Report, released yesterday.

It considered more than 760 breaches last year probed by Verizon, the US Secret Service and the National High Tech Crime Unit of the Netherlands Policy Agency, which provided an international caseload.

The disparity between the few records exposed and the many incidents was attributed to a shift in the cybercriminal landscape, said Bryan Sartin, director of investigative response at Verizon.

Large-scale intrusions that compromised millions of records, such as at Heartland Payment Systems and TJX, decreased due to convictions of their masterminds, such as Albert Gonzalez.

But the number of breaches increased as less-skilled criminals relied on automated tools to carry out easily perpetrated attacks against mostly small businesses, Sartin said. But they yielded smaller amounts of data than Gonzalez's conquests.

“We aren't dealing with the same organided, resourced hackers we saw in the past,” Sartin said. “It's increasingly disorganized crime that makes up the threat.”

Verizon found 61 percent of the 760 beaches investigated affected organidations with 11 to 100 employees.

That should serve as a wake-up call for organisations that may not think they are a viable target, Mike Lloyd, said chief scientist for compliance and vulnerability management solutions provider Red Seal Systems.

“When attackers are using automated scripts, to a large extent, they don't care who you are,” he said. “They care about what you have, and they are coming for you.”

Although recent breaches were categorised as advanced persistent threats - a name given to sophisticated and stealthy attacks often attributed to state-sponsored hackers in China -  most data loss was far less menacing, Sartin said.

“It has become, in the US, very chic to blame your problems on the Chinese,” he said. “How do you defend against a nation state? It sounds a lot better than a 17 year-old kid that lives in Belarus in his parent's basement.”

He said breaches investigated last year by Verizon were publicly disclosed as such an advanced threat, but that was not so.

“Almost no law enforcement agencies around the globe have a nation-state electronic crimes facet to their caseloads,” he said.

The cause of breaches

• 92 percent: External attackers
• 17 percent: Insiders, usually malicious
• 9 percent: A combination

In reality, “most victims are a target of opportunity rather than choice,” and 96 percent of breaches investigated last year were preventable through "simple or intermediate controls," according to the report. These were changing default credentials, restricting and monitoring privileged users, securing remote access services, enabling and monitoring application and network logs and regularly reviewing source code for vulnerabilities,

Last year's report was notable for sounding the alarm on the insider threat. That study, the first time the Secret Service caseload was incorporated, found 49 percent of breaches implicated insiders, but that fell to 17 percent this year. According to the new report, that was an indication of a "huge" increase in smaller, outside-in attacks than a drop in malicious insiders.

“[Last year] wasn't a success story in terms of improved security, that's a fact, but breaches tended to be smaller in nature,” said Jake Kouns, co-founder and president of the Open Security Foundation, which oversees the DataLossDB, which also tracks data breach incidents.

“Even a smaller breach can really cause a massive impact. It doesn't need to [involve] millions of records to impact an organization or consumer.”

Enterprises often made the mistake of achieving a high level of security in certain areas, while ignoring others.They should eliminate unnecessary data, then identify essential controls to implement them across the enterprise.

Joshua Corman, research director of the enterprise security practice at analyst firm The 451 Group, said the 72-page report yields a “treasure trove” of potential insights that should be carefully interpreted.

A quick read of the data may lead to complacency among larger organisations, which were facing threats to sensitive corporate data, he said. Though the report noted an “explosion” of breaches involving small businesses, it also found the number of incidents affecting large organisations, or those with 1000 to 10,000 employees, doubled since last year.

And although payment card data, authentication credentials and personal information represented most data compromised, 5 percent or 41 breaches involved theft of intellectual property.

Corman said that should startle large businesses wanting to protect valuable intellectual property.

“We know that IP theft is more serious, rampant and visible,” he said.

“Attackers have evolved and care more about your secrets. Don't be distracted that a large number [of breaches] were automated attacks against small merchants. That doesn't make you safe.”

This article originally appeared at scmagazineus.com