Your SlideShare is downloading. ×
  • Like
Know Your Enemy: Verizon Data Breach Report
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Know Your Enemy: Verizon Data Breach Report


An analysis of the Verizon Data Breach Report for 2011, with a focus on the threats, their attack methodologies, and approach vectors. Delivered to InfraGard - Honolulu Chapter, May 3 2011

An analysis of the Verizon Data Breach Report for 2011, with a focus on the threats, their attack methodologies, and approach vectors. Delivered to InfraGard - Honolulu Chapter, May 3 2011

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Focused on who the bad guys are and what they are exploiting.
  • Most of NHTCU’s time was spent taking down a huge child porn ring and taking down botnets, so they are not actually included in the 2010 stats. They are laser focused on high value targets, and don’t investigate a large volume of cases.
  • Top3 remain the same, just shuffle places (Fin was 1 st last year, then hosp, then retail). Have to keep in mind that the 2009 dataset was only 141 breaches. So, while Government sector is the same 4% of the total as it was in 2009, the number of breaches there actually quadrupled from 6 to 27.
  • Again, dataset size is deceiving here. While the percentage of breaches overwhelmingly seemed to target SMBs, the number of breaches by companies of 1000+ employees still doubled since last year. This graph actually trends closely with the size of businesses in the United States overall.
  • Only 3 partner-related incidents this year. 1 was a deliberate act, 2 were unintentional. Our long-fought battle with malicious insiders is finally won, right? Not so fast.
  • While the percentage of insider breaches was down, the actual number of incidents doubled. Decline in partner-contributing breaches appear to be genuine, which is a good thing.
  • Eastern Europe was still top dog in last year’s report, but only by a margin of 21% to USA’s 19%. Shows marked rise in criminal groups based in Eastern Europe.
  • Infection vectors and functionality. Trend continues to focus on exfiltration capabilities and remote access. The 79% exfiltration and 78% backdoor represent huge jumps from last year (32% and 36%, respectively)
  • 18% of malware investigated by Verizon was completely custom, and two-thirds was customized to some degree, mostly to avoid AV detection.
  • Web application vulns fell to 3 rd place, from it’s traditional 1 st place spot, but if you take out the hosp and retail verticals, web applications are back on top and more prevalent than ever.
  • Wait – IN PERSON?? Email was the favorite MO last year, but criminals have gotten personal it seems
  • Skimming operations are becoming more organized and sophisticated. Sprees can target 50-100 businesses at a time
  • Remote access channels are increasingly a favorite target. With the proliferation of cloud-type offerings like GoToMyPC, do you really know what remote access capabilities you have in your environment? Data exfiltration continues to be the primary goal of most intruders.
  • Log management: reducing time to discovery is critical in limiting the damage intruders can inflict on your organization.
  • Many companies don’t know what to do when they suspect a problem. Users clicking on hostile attachments is still a problem (see: RSA). Don’t neglect educating employees on social engineering tactics that involve a personal contact.


  • 1. Verizon Data Breach Report “Know Your Enemy” Edition Originally prepared for InfraGard Honolulu Chapter May 3, 2011 Beau Monday, CISSP GSEC Information Security Officer @ HawaiianTel
  • 2. Disclosures
    • Hawaiian Telcom was a subsidiary of Verizon at one point, but was sold to private investors in 2005.
    • This review focuses primarily on the threat side of the equation.
  • 3. History
    • 4 th year of public releases
      • Starting in 2008
      • 6 total reports (mid-year supplementals in 2008 and 2009)
    • Dataset now contains:
      • 7 years of data
      • 1700+ breaches
      • 900M compromised records
  • 4. Data Sources
    • Verizon Caseload (94 breaches in 2010)
      • Only cases where Verizon was directly engaged as an investigator and a breach was confirmed
    • US Secret Service (667 breaches in 2010)
      • Verizon reviewed USSS’ caseload and only included cases that matched Verizon’s criteria for a breach
      • If Verizon and USSS both worked on an individual case, Verizon’s data was referenced for the report
    • Dutch National High-Tech Crime Unit (30 cases spanning several years)
  • 5. Things to keep in mind
    • The addition of the USSS and Dutch NHTCU data has nearly doubled the size of the dataset from last year
    • Comparing year-to-year data can be challenging as a result (as you will see)
  • 6. Demographics – by Sector
  • 7. Demographics – by Org Size
    • Large companies catching a break?
    • Shift towards SMBs?
  • 8. Threat Agents
    • Attacks via partners down from 10% to <1% (!)
    • Attacks via insiders down from 48% to 17% (!)
  • 9. Threat Agent Trends
    • Insider threats have declined, but not by as much as the first graph indicated
  • 10. Who are the (external) bad guys?
    • Eastern Europe takes a commanding lead
  • 11. Who are the (internal) bad guys?
    • Quite a jump in regular users (was 51% last year)
    • % of breaches involving Finance staff doubled
    • % of breaches involving executives increased from 7% to 11%
  • 12. Threat Categories
    • Malware was %1 last year, but dropped to 4 th in 2010
    • Physical doubled as a % of breaches
  • 13. Malware
  • 14. Malware Customization
  • 15. Hacking Methodologies
  • 16. Attack Pathways
  • 17. Social Engineering Trends
    • 11% of breaches employed some level of social engineering (down from 28% last year)
  • 18. Physical Attacks
    • Physical attacks are twice as prevalent versus last year
    • ATM and Gas Pump skimmers represent the bulk of this increase
  • 19. Recommendations
    • Overall: “Achieve essential, then worry about excellent”
  • 20. Recommendations (cont.)
    • Access Controls
      • Change default creds
      • Review user accounts often
      • Restrict and monitor privileged accounts
    • Network Management
      • (Catalog and) Secure Remote Access Services
      • Monitor and filter egress traffic
  • 21. Recommendations (cont.)
    • Secure Development
      • Application testing and code review
    • Log Management and Analysis
      • Enable application and network logs (and monitor them)
      • Define “anomalous” and then look for it
      • Try to achieve real-time log monitoring/alerting
  • 22. Recommendations (cont.)
    • Incident Management
      • Create an Incident Response Plan
      • Engage in mock incident drills
    • Training and Awareness
      • Increase awareness of social engineering
      • Train employees to look for signs of tampering and fraud
  • 23. References & Contact Info
    • References:
      • Verizon Data Breach Investigations Report 2011:
      • Verizon DBIR 2011 – Metrics, Interpretations and Action Plans:
    • Contact me: [email_address]