I read a couple of items today about security and cyber crime that I found rather interesting. One was an article that came out a week ago on infoworld.com about the “First Annual Cost of Cyber Crime Study,” conducted by Ponemon Institute. The study involved 45 midsize and large organizations, ranging in size from 500 to more than 105,000 employees. They represented a mixture of industries and government agencies. The study revealed that cyber crime cost these organizations an average of $3.8 million dollars per year…each. The reported costs ranged from a low of $1 million to a high of $52 million per year.
The reported costs represent the direct cost of coping with attacks, including such things as, for example, the amortized annual cost of a Web application firewall purchased to respond to an attack on a Web application. They also included the time spent responding to attacks, the cost of disruption of business operations, lost revenue, and the destruction of assets. They found that it took an average of 14 days to respond to a successful cyber attack, at an average cost of over $17,000 per day.
Admittedly, a sample size of 45 companies is relatively small. But still – $3.8 million per year, average? Holy smoke!
The other piece of light reading will help to flesh out the picture and add some perspective. It’s the 2010 Data Breach Investigations Report conducted by the Verizon RISK team, in cooperation with the U.S. Secret Service. It combines data from Verizon’s 2009 case load with additional data contributed by the USSS to form a data set that spans six years and over 900 security breaches, representing over 900 million compromised records. About two-thirds of the breaches covered in the report have either not yet been disclosed, or never will be.
While the cases worked by the USSS more frequently involved insiders, in Verizon’s own cases, almost all data stolen in 2009 – 98% – was the work of criminals outside the victim organization. 85% of that data was stolen by “organized criminal groups.” For a definition of “organized criminal groups,” see Appendix A of the report…it’s pretty interesting reading in and of itself.
Not surprisingly, financial services organizations were most frequently targeted (33% of cases), for the same reason Willie Sutton robbed banks: that’s where the money is. But you may be surprised to learn that the hospitality industry wasn’t that far behind (23% of cases), followed by retail (15% of cases). And here are some other things that might surprise you (note that the following percentages add up to more than 100%, meaning that some cases involved more than one factor):
- 48% of breaches involved “privilege misuse” (that’s up 26% from the year before). The report defines this as any use of resources or privileges in a manner contrary to that which was intended, whether malicious or non-malicious. This category includes obvious actions such as embezzlement or deliberate theft of information by an insider, but also losses that resulted from abuse of system access, use of unapproved devices, violations of an organization’s Web or Internet use policy, abuse of private knowledge, use of unapproved software or services, unapproved changes and workarounds, and violations of an organization’s asset / data disposal policy.
- 40% resulted from hacking (down 24%) – the majority of which involved either the use of stolen login credentials, or SQL Injection attacks. A fair number also involved exploitation of default or guessable credentials (or cases where no credentials were required), and brute force and dictionary attacks.
- 38% utilized malware (unchanged)
- 28% employed “social tactics” (up 16%) – using deception (spoofing, phishing, forgery), manipulation, intimidation, bribery, extortion, etc., as a means of breaching an organization’s security. Social tactics are often combined with other categories, for example, malware designed to look like antivirus software.
- 15% were physical attacks such as theft, tampering, and surveillance (up 6%)
- And what may be the most astounding finding of all: “…there wasn’t a single confirmed intrusion that exploited a patchable vulnerability.” Does that mean you don’t have to pay attention to patching your systems? No, of course not. But what it means is that just because you are current on all of your patches it doesn’t mean you’re safe!
Here are some more commonalities in the attacks:
- 98% of all data breached came from servers.
- 85% of attacks “were not considered highly difficult.”
- 61% were discovered by a third party(!)
- 86% of victims had evidence of the breach in their log files(!!)
- 96% of breaches were avoidable through simple or intermediate controls.
- 79% of the victims that were subject to PCI/DSS regulations had not achieved compliance with the regulations. Admittedly, that means that 21% had achieved compliance, and were breached anyway, but why stack the deck against yourself? If you’re subject to the regulations, make sure you’re in compliance.
So what are the takeaways from all of this data? Although I would encourage you to download and read all 66 pages of the Verizon report, here are a few points to consider:
- 86% of victims had evidence of the breach in their log files, yet 61% of the breaches were discovered by a third party. That suggests that, just maybe, we should be paying more attention to our log files. Now, I understand that there aren’t many cures for insomnia that are better than trying to parse through several servers worth of log files looking for anomalies. But that’s why there are automated tools these days that will do that for you.
- SQL injection has been around for over ten years, and still causes a large number of data breaches. Here’s a high-level example: you have a form on your Web site that is intended to capture user input and stuff it into a SQL database. Maybe it’s the billing information for your on-line shopping cart. But instead of entering the data you’re expecting, an attacker enters a SQL language statement that’s intended to either extract data from the database, modify data in the database, or deliver malware to the system.
You can’t fix this by applying a patch, modifying a setting, or changing a Web page. It’s almost always an input validation failure. That means you have to fix the code behind the application so that it actually validates that the information that’s being typed into a field is really the kind of information that’s expected. It isn’t necessarily easy, and it isn’t necessarily inexpensive. But data loss isn’t cheap, either.
- The use of stolen credentials was the top hacking method used. Two-factor authentication (e.g., RSA’s SecurID), which can largely render stolen credentials useless, has been around for years. Apparently not enough organizations are using it.
- One of the more interesting (to me, anyway) recommendations in the Verizon report is to filter outbound traffic. That way, even if malware does get in the door, you have some measure of control over what information leaves your network. This is sometimes referred to as “Data Loss Prevention,” or “Content Security.” Here’s what they had to say about it:
Most organizations at least make a reasonable effort to filter incoming traffic from the Internet. This probably stems from a (correct) view that there’s a lot out there that we don’t want in here. What many organizations forget is that there is a lot in here that we don’t want out there. Thus, egress filtering doesn’t receive nearly the attention of its alter ego. Our investigations suggest that perhaps it should. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out that, if prevented, could break the chain and stop the breach. By monitoring,understanding, and controlling outbound traffic, an organization will greatly increase its chances of mitigating malicious activity.
By a happy coincidence, one of our primary vendor partners, WatchGuard, recently introduced a line of appliances that are specifically designed for precisely this task. I’ll be writing more about that in a future post.
- Don’t assume that you’re too small to interest the criminals. 9% of the breaches were in companies with ten or fewer employees. Another 18% in companies with 11 to 100 employees. 23% in companies with 101 to 1,000 employees.
And, finally, don’t assume that the situation is hopeless. Remember that only 4% of breaches were judged to have required difficult and expensive measures to avoid. To quote from the conclusions of the Verizon report, “Configuration changes and altering existing practices fix the problem(s) much more often than major redeployments and new purchases.” We do have the tools to get the job done. We just have to make up our minds to do it.