2012 Data Breach Investigations Report

(1)

A study conducted by the Verizon RISK Team with

cooperation from the Australian Federal Police,

Dutch National High Tech Crime Unit, Irish Reporting

& Information Security Service, Police Central

e-Crime Unit of the London Metropolitan Police,

and United States Secret Service.

2012 Data Breach

Investigations Report

Brian Grayek CISSP, ITILv3

(2)

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3

Data Breach Investigations Report (DBIR) Series

An ongoing study into the world of

cybercrime that analyzes forensic

evidence to uncover how sensitive

data is stolen from organizations,

who’s doing it, why they’re doing it,

and, of course, what might be done

to prevent it.

--

Available at:

www.verizon.com/enterprise/databreach

Updates/Commentary:

(3)

Hold on… Wha???

Why is my telco investigating breaches?

(4)

Enterprise Solutions to Meet

Business Imperatives

IT Services

Security Services

Communications

Services

Networking

Services

Mobility

• Cloud-based Services

• Data Center Services

• Managed Applications

• Managed IT

• Equipment and

Services

• Professional Services

• Government, Risk and

Compliance

• Identity and Access

Management

• Managed Security

• Equipment and

Services

• ICSA Labs

• Professional Services

• Contact Center

Services

• Unified

Communications

• Video, Web and Audio

Conferencing

• Traditional Voice

• Emergency

Communications

Services

• Equipment and

Services

• Professional Services

• Internet

• Private WAN

• Private Point to Point

• Access Services

• Managed Networks

• Equipment and

Services

• Professional Services

• Advanced

Communications

• Applications and

Content

• Global

Communications

• Hardware

• Mobile Data

• Voice and Messaging

• Professional Services

RISK Team

falls here

(5)

2012 DBIR Contributors

(6)

Methodology: Data Collection and Analysis

• DBIR participants use the

Verizon Enterprise Risk and

Incident Sharing (VERIS)

framework to collect and

share data.

• Enables case data to be

shared anonymously to

RISK Team for analysis

VERIS is a (open and free) set of metrics designed to provide a

common language for describing security incidents (or threats) in a

structured and repeatable manner.

(7)

An overview of our results and analysis

(8)

(9)

Threat Agents

(10)

Threat Agents: Larger Orgs

(11)

Threat Agents

(12)

Threat Agents: External

(13)

Threat Actions

(14)

Threat Actions: Larger Orgs

(15)

Top Threat Actions

(16)

Top Threat Actions: Larger Orgs

(17)

Compromised Assets

(18)

Most Compromised Assets

(19)

Compromised Assets: IP & classified data

98%

0%

7%

41%

46%

Servers

Networks

User Devices

Offline Data

People

(20)

Asset Ownership, Hosting, and Management

(21)

Compromised Data

(22)

Compromised Data

(23)

Attack Difficulty

(24)

Attack Targeting

(25)

The 3-Day Workweek

(26)

Timespan of Events

(27)

Timespan of Events: Larger Orgs

(28)

Breach Discovery

(29)

Breach Discovery

(30)

PCI DSS Compliance

(31)

An overview of Recommendations

(32)

Recommendations: Smaller Orgs

(33)

Recommendations: Larger Orgs

(34)

Strategy/Assessment –

Business Case Analysis,

Roadmap and Policy

Review, Data Protection

Strategy, Product

Evaluation

Data Discovery and

Classification – DDISC,

Information Classification

Data Loss Prevention – DLP

Maturity, DLP

Operationalization, DLP

Health Check, DLP

Management

Encryption/Key Management – PKI Roadmaps

and Deployment, File/Folder and Full Disk, Email

and Messaging, Application and Platform

Specific (i.e. Oracle)

Data Protection

Post Leak Management –

Rights Management,

Mobile Device Remote Kill

“Eliminate unnecessary data; keep tabs on what’s left”

Verizon Solutions:

(35)

Verizon Solutions:

Larger Orgs (cont’d)

“Ensure essential controls are met; regularly check that they

remain so”:

– Managed Security Services

• Identity & Access Management

• Vulnerability Management

– Professional Services

• Business Security Assessment

• Information Assurance (IA) Management Action Plans

(36)

Recommendations and Solutions:

Larger Orgs (cont’d)

“Monitor and mine event logs”:

– Managed Security Services

• Application log monitoring and management service

• Managed network and security services for remote monitoring and management of

devices (e.g., firewalls, VPNs)

• Network and host intrusion detection/prevention systems

• Gateway anti-virus systems, proxy and content screening systems

• Identity & Access Management

• Log Analysis Tools

– Professional Services

• Identification of critical log sources

• Defining security requirements

• Customizing a filtering, classification policy

• Implementation capabilities including project and technology management, and

configuration (including standardizing log formats before transport to central log server)

• On-site installation and staging

(37)

Recommendations and Solutions:

Larger Orgs (cont’d)

“Evaluate your threat landscape to prioritize your treatment strategy”:

– Professional Services

• Internal and External Network Vulnerability Testing

• Penetration Testing

• Application Vulnerability Assessment

(38)

Verizon Solutions

Protect Against the Top 10 Threat Actions:

Hacking: Use of stolen credentials (30% of breaches)

Description

Refers to instances in which an attacker gains access to a protected

system or device using valid but stolen credentials.

Verizon Enterprise Solution

- Identity & Access Management (professional and managed services)

- Security Awareness Training

- Security Management Program

Malware: Backdoors, Command and Control (18% of breaches)

Hacking: Exploitation of backdoor or command and control channel (17% of breaches)

Description

Tools that provide remote access to and/or control of infected systems.

Backdoor and command/control programs bypass normal authentication

mechanisms and other security controls enabled on a system and are

designed to run covertly.

Verizon Enterprise Solution

- Professional Services: Security Policy Review

- Professional Services: Host-build assessment

- Managed Security Services: Host IDS

- Internet Managed Scanning Services

- Data Loss Prevention (strategy, planning, design, implementation &

management)

- Log Monitoring and Management

- Identity and Access Management (professional and managed services)

Physical: Tampering (17% of breaches)

Description

Unauthorized altering or interfering with the normal state or operation of an

asset. Refers to physical forms of tampering rather than, for instance,

altering software or system settings.

Verizon Enterprise Solution

- Security Awareness Training

(39)

Keylogger/Form-grabber/Spyware (13% of breaches)

Description

Malware that is specifically designed to collect, monitor, and log the actions

of a system user. Typically used to collect usernames and passwords as

part of a larger attack scenario. Also used to capture payment card

information on compromised POS devices. Most run covertly to avoid

alerting the user that their actions are being monitored.

Verizon Enterprise Solution

- Professional Services: Security Policy Review

- Professional Services: Host-build assessment

- Managed Security Services: Host IDS

- Internet Managed Scanning Services

- Identity and Access Management

- Security Management Program

Pretexting (Social Engineering) (12% of breaches)

Description

A social engineering technique in which the attacker invents a scenario to

persuade, manipulate, or trick the target into performing an action or

divulging information. These attacks exploit “bugs in human hardware” and,

unfortunately, there is no patch for this.

Verizon Enterprise Solution

- Professional Services: Social Engineering

- Security Awareness Training

- Security Management Program

Verizon Solutions

(40)

Brute-force attack (8% of breaches)

Description

An automated process of iterating through possible username/password

combinations until one is successful.

Verizon Enterprise Solution

- Identity & Access Management Services

- Professional Services: Encryption and Key Management

- Application Log Monitoring

SQL injection (8% of breaches)

Description

SQL Injection is an attack technique used to exploit how web pages

communicate with back-end databases. An attacker can issue commands

(in the form of specially crafted SQL statements) to a database using input

fields on a website.

Verizon Enterprise Solution

- Application Vulnerability Scanning

- Secure Application Development Training

- Application Security Program

- Professional Services:

- Secure Source Code Review

- Penetration testing

- Application firewall implementation, monitoring & management

- Identity and Access Management

- Database audit technology monitoring & management

Alignment of Recommendations and Solutions

Protect Against the Top 10 Threat Actions:

(41)

Recommendations and Solutions

Protect Against the Top 10 Threat Actions

(cont’d)

:

Unauthorized access via default credentials (43% of breaches with single threat action)

Description

Refers to instances in which an attacker gains access to a system or

device protected by standard preset (and therefore widely known)

usernames and passwords.

Verizon Enterprise Solution

- Identity & Access Management (professional and managed services)

- Partner Security Program

- Security Management Program

- Penetration Testing

**Phishing (and endless *ishing variations) (8% of breaches)**

Description

A social engineering technique in which an attacker uses fraudulent

electronic communication (usually e-mail) to lure the recipient into divulging

information. Most appear to come from a legitimate entity and contain

authentic-looking content. The attack often incorporates a fraudulent

website component as well as the lure.

Verizon Enterprise Solution

- Internet Managed Scanning Services

- Managed Web-Content Filtering (Websense, etc.)

- Professional Services: Security Policy Review

- Security Management Program

(42)

Measuring and managing information risk

To properly manage risk,

we must measure it.

To properly measure risk,

we must understand our

information assets, the

threats that can harm

them, the impact of such

events, and the controls

(43)

A threat event that is measurable (and thus

manageable) identifies the following 4

A

’s:

Agent:

Whose actions affected the asset

Action:

What actions affected the asset

Asset:

Which assets were affected

(44)

(45)

(46)

Diagnose Ailments

(47)

✔ Treatment strategy

✔Policy

✔People

✔Process

✔Technology

✔Policy

✔People

✔Process

✔Technology

✔Policy

✔People

✔Process

✔Technology

(48)

EBRM aims to apply the best available

evidence gained from empirical research to

measure and manage information risk.

(49)

Data Breach Investigations Report (DBIR) series

= evidence

(50)

• –

(51)

DBIR:

www.verizon.com/enterprise/databreach

VERIS: https://verisframework.wiki.zoho.com/

Blog:

http://www.verizon.com/enterprise/securityblog