7. Scope of Research
• Focused on the US – other countries don’t have data breach information
readily available
• Only publicly disclosed data breach incidents were used
• Data was collected for period: Jan 2005 – Apr 2015
• The data used is really the “tip of the iceberg” – the majority of incidents
remain unreported and undisclosed
7
8. What is a data breach?
Many definitions out there, but the ISO/IEC 27040 definition best summarizes
data breaches (IMHO):
“Compromise of security that leads to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to protected data transmitted,
stored, or otherwise processed.”
8
9. Recent “Sensational” Data Breaches
• Hacking Team – the creators of surveillance software – was hacked and
400GB+ of stolen data was leaked online
• 21.5M SSNs and other sensitive data was stolen in the “second” breach of
Office of Personnel Management’s (OPM) background check database
• Ashley Madison – an online dating service that caters to extramarital affairs
was hacked and 37M members’ records were leaked online
9
13. Record Types Compromised
• PII: Name, address, SSN, DoB, phone number, etc.
• Financial data: Banking, insurance, and billing information, etc.
• Health data: Medical records, medical insurance, etc.
• Education data: School, college, university, or related records
• Payment cards: Credit, debit, store-branded credit, and prepaid gift cards
• Credentials: Log-in credentials for eBay, PayPal, Web-based email, online
banking, social networks, etc.
• Others: Intellectual property and intelligence about an organization
• Unknown: Investigators failed to determine what was stolen
13
27. Findings: Hype and Heavy Tails
• Paper uses the same PRC data that we used – they developed Bayesian
Generalized Linear Models to investigate trends in data breaches
• Their statistical analysis suggests neither size nor frequency of data
breaches has increased over the past decade
• They predict that the likelihood of very large data breaches (i.e. headline-
grabbing events) occurring within the next year is small AND they predict
that smaller breaches will occur more frequently
• They predict data breaches will cost businesses/organizations up to $55B
over the next three years
27
29. Who is stealing your data?
• Insiders
• Individual criminals
• Organized criminal groups
• State sponsored groups
• Hacktivists
29
30. Crimes Committed
• PII data – identity fraud, file fraudulent tax returns, apply for bank loans,
apply for credit cards, register fake accounts, spam & phishing attacks, etc.
• Financial data – create counterfeit credit cards, pay bills, fraudulent online
transactions, fraudulent money transfers, etc.
• Credentials – steal intellectual property, espionage, spam & phishing
attacks, etc.
• Others – vengeance attacks, hacktivism, blackmail, ransom, etc.
30
31. Are people becoming desensitized?
YES!… and here’s why
• There is an overload of daily news articles on data breaches
• Stolen sensitive data is not tangible like a stolen mobile phone
• The bad consequences of having sensitive data stolen are not instantly felt
• There is a lack of understanding of the repercussions of sensitive data theft
31
37. What about “Other” data?
• The vast majority of breaches remain unreported and undisclosed – we
don’t know what data was stolen, when it was stolen, and by whom
• Theft of “other” data strongly implies espionage, intelligence collection,
intellectual property theft, gain competitive advantage, etc.
• These breaches are orchestrated by groups who have a vested interest in
procuring data for their advantage
• Victimized businesses rarely disclose the actual damage inflicted – this
could easily be in the millions or billions of dollars depending on the
industry
37
39. Red Queen Hypothesis
• Sophistication of attacks increasing over time
• This follows what is called the Red Queen
Hypothesis
– Based on Leigh Van Valen’s observations of a biological
evolutionary arms race
– Antagonistic co-evolution of predators/prey or
parasites/hosts; no evolution = extinction
• “Now, here, you see, it takes all the running you
can do, to keep in the same place. If you want to
get somewhere else, you must run at least twice
as fast as that!” – Lewis Carroll, Alice Through the Looking Glass
39
40. Key Principles of Defense
No defense is impregnable against determined adversaries!
Always assume you have been compromised. Now what do you do?
– Have a response plan ready
– Quickly identify and respond to ongoing security breaches
– Contain the breach and stop the loss of sensitive data
– Preemptively prevent breaches by securing all exploitable avenues
– Apply lessons learned to further strengthen defenses and prevent repeats
40
42. Critical Security Controls
• Implementing all 20 security controls can be very expensive and requires
dedicated teams for daily operations, monitoring, response, and
maintenance
• A large business/organization should have the resources to implement all
20 security controls, but most small businesses/organizations can only
afford to implement a subset of the controls
• The Critical Security Controls provides a comprehensive set of guidelines
and implementing even a subset of them will go a long way in preventing
data breaches
42
43. Insider Threats
• Insiders are trusted individuals or persons of authority with access
privileges who steal data
• They are typically motivated by Money, Ideologies, Coercion, and Ego
(MICE)
• Insider attacks should be accorded the same level of prioritization as
external attacks
• Broadly speaking, Insider threat mitigation techniques can be grouped into
two categories – technical and non-technical
43
44. Insider Threats
• Technical steps to prevent insider attacks use security best practices:
– Information access control
– Monitoring and logging of activities
– Promptly disable credentials of ex-employees
– Identify employees who’s credentials have been compromised, etc.
• Non-technical means of security are equally effective:
– Good management practices in handling delicate situations
– Recognizing and rewarding employees
– Looking after employee well-being, etc.
• In a nutshell, happy employees are less likely to turn against their
employers
44
46. Data Breach Legislations in the US
• The US has no federal standards in place that provides a uniform set of
rules governing notification procedures following a data breach – only
specialized federal laws e.g. HIPPA
• 47 US states, the District of Columbia, Guam, Puerto Rico, and the US
Virgin Islands each have enacted their own legislations
• The data breach notification laws that exist vary from state to state and at
times can be conflicting e.g. disclosure timelines
• Compliance with multiple data breach notification laws introduces
additional complexity on top of responding to a breach incident
46
47. Data Breaches are here to stay…
• The number of data breach disclosures involving big
businesses/organizations is increasing, which can only mean smaller
businesses/organizations are being relentlessly targeted
• Damage done to everyday individuals, irrespective of where their data was
stolen from is still the same – they face serious risks of identity, financial,
and other types of fraud
• In reality, any business or organization that processes and/or stores
sensitive data is a potential data breach target
• As long as a sensitive data can be monetized, data breaches will happen
47
Privacy Rights Clearinghouse (PRC) is a non-profit corporation based in California
They publish a database which contains all publicly disclosed data breach incidents in the United States
Their data is vetted before being published on their website, and is free to use
2015 numbers currently stand at 159 – so looks like the downward trend in disclosed data breach numbers continue
Are you frigging kidding me?
What are the reasons behind reported numbers declining?
Not reported… does not need reporting
Not discovered... on average takes several weeks to months to discover and more often than not is informed about breach by a third party e.g. customers, lea, banks, etc.
A bit out of date as it doesn’t contain OPM or Ashley Madison
They mention that they expect their predictions to lose accuracy over time
Something worth nothing is we found the prices of stolen data has fallen compared to last year. We attribute this to over supply from all the data breaches.
From the “Hype and Heavy Tails” paper
We are in a never ending arms race with our competitors, the malware authors
Interestingly enough these malware authors are also some of the most prolific customers of our research
We have to deliver information and tools so the populace can run at least twice as fast as the malicious actors look to steal from them
Defensive strategies for some of the breach methods discussed in this talks is outside the scope of this research and thus have been omitted
Maintained by the Center for Internet Security (CIS) – an independent global non-profit entity
Limitations – where it directly affects the everyday consumer
If a company is breached and important IP or “Other” data is lost which is not directly tied to a consumer, the companies don’t have to report that
We lose visibility into data breaches and understanding of the overall impact data breaches have on society