According to a study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit, a total of 3.8 million data records were compromised across 760 reported data breaches in 2010. Was yours one of them?
Actually, this is good news. The study indicated a significant decrease in the number of compromised records from the prior two years. The researchers attributed the declining trend of data breaches to the collaborative effort between the US Secret Service and the industry to combat computer cybercrimes and increased security awareness.
Last week, IBM also released results from its mid-year X-Force 2011 Trend and Risk Report, highlighting that public and private organizations around the world faced increasingly sophisticated, customized IT security threats in 2011. The results demonstrate the rapidly changing security landscape characterized by high-profile attacks, growing mobile vulnerabilities and more sophisticated threats such as whaling, a form of phishing that focuses on a small targeted group within an organization.
As the X-Force report notes, the security environment is changing: the boundaries of business infrastructure are being extended or obliterated by the emergence of cloud, mobility, social business, big data and more. At the same time, the attacks are getting more sophisticated, often showing evidence of extensive intelligence collection and careful, patient, long term planning. The repercussions of these attacks are large enough to move security discussions out of technical circles and into the board room.
Paradoxically, there have been significant gains in the fight to secure the Internet this year with many vulnerability and attack statistics significantly improving as the Verizon Data Breach data suggests. The good guys may be winning some key battles, but the fight is far from over. The bad guys are simply moving on to new battlefields, including smartphones and tablets. The rapid proliferation of these devices combined with a consolidation of operating systems has caused attackers to finally warm up to the opportunities these devices represent. As such, IBM X-Force research is predicting that exploits targeting vulnerabilities that affect mobile operating systems will more than double from 2010.
Computer forensic and IT security expert Peter Kiilu reviewed the key findings and learning points from the Verizon 2011 Data Breach Investigations Report. As part of the report, he suggests controls that companies can implement to significantly reduce the risk of data breach and the related financial losses.
Let’s look at just a few of key findings. For example, the victims of these breaches usually weren’t even aware they had lost data or experienced a breach until they were notified by a third party. That’s bad, especially if the party notifying you is a customer or a regulator. Not surprisingly, Kiilu noted that most of the victims subject to PCI-DSS had not achieved compliance. If you handle credit card information don’t shortchange PCI compliance.
Hacking and malware were the most common threat actions. In fact, the top four threat events all involved external agents hacking into and installing malware to compromise the confidentiality and integrity of the servers.
The goal of these attacks is to get data; this isn’t just joyriding through your systems. The three most common types of data misuse observed last year were embezzlement, skimming, and related fraud. The victims, by the way, were targets of opportunity rather than specifically chosen. You can probably conclude they were targeted because they were easy targets. As Kiilu noted, almost all the breaches were avoidable, without difficult or expensive corrective measures.
Many managers, especially CFOs, voice concern about cloud computing over security. While there are legitimate concerns about cloud security the study makes it clear that cloud computing and any technology specific to the cloud were not the main culprits behind the data breaches.
What were the main culprits? According to Kiilu, the problems revolved around giving up control of information assets and data and not controlling the associated risk. In an upcoming report, BottomlineIT will take up Kiilu’s recommended defensive actions.