Verizon Data Breach Report “Know Your Enemy” Edition Originally prepared for InfraGard Honolulu Chapter May 3, 2011 Beau M...
Disclosures <ul><li>Hawaiian Telcom was a subsidiary of Verizon at one point, but was sold to private investors in 2005. <...
History <ul><li>4 th  year of public releases </li></ul><ul><ul><li>Starting in 2008 </li></ul></ul><ul><ul><li>6 total re...
Data Sources <ul><li>Verizon Caseload (94 breaches in 2010) </li></ul><ul><ul><li>Only cases where Verizon was directly en...
Things to keep in mind <ul><li>The addition of the USSS and Dutch NHTCU data has nearly doubled the size of the dataset fr...
Demographics – by Sector
Demographics – by Org Size <ul><li>Large companies catching a break? </li></ul><ul><li>Shift towards SMBs? </li></ul>
Threat Agents <ul><li>Attacks via partners down from 10% to <1% (!) </li></ul><ul><li>Attacks via insiders down from 48% t...
Threat Agent Trends <ul><li>Insider threats have declined, but not by as much as the first graph indicated </li></ul>
Who are the (external) bad guys? <ul><li>Eastern Europe takes a commanding lead </li></ul>
Who are the (internal) bad guys? <ul><li>Quite a jump in regular users (was 51% last year) </li></ul><ul><li>% of breaches...
Threat Categories <ul><li>Malware was %1 last year, but dropped to 4 th  in 2010 </li></ul><ul><li>Physical doubled as a %...
Malware
Malware Customization
Hacking Methodologies
Attack Pathways
Social Engineering Trends <ul><li>11% of breaches employed some level of social engineering (down from 28% last year) </li...
Physical Attacks <ul><li>Physical attacks are twice as prevalent versus last year </li></ul><ul><li>ATM and Gas Pump skimm...
Recommendations <ul><li>Overall: “Achieve essential, then worry about excellent” </li></ul>
Recommendations (cont.) <ul><li>Access Controls </li></ul><ul><ul><li>Change default creds </li></ul></ul><ul><ul><li>Revi...
Recommendations (cont.) <ul><li>Secure Development </li></ul><ul><ul><li>Application testing and code review </li></ul></u...
Recommendations (cont.) <ul><li>Incident Management </li></ul><ul><ul><li>Create an Incident Response Plan </li></ul></ul>...
References & Contact Info <ul><li>References: </li></ul><ul><ul><li>Verizon Data Breach Investigations Report 2011:  http:...
Upcoming SlideShare
Loading in …5
×

Know Your Enemy: Verizon Data Breach Report

830 views

Published on

An analysis of the Verizon Data Breach Report for 2011, with a focus on the threats, their attack methodologies, and approach vectors. Delivered to InfraGard - Honolulu Chapter, May 3 2011

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
830
On SlideShare
0
From Embeds
0
Number of Embeds
38
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Focused on who the bad guys are and what they are exploiting.
  • Most of NHTCU’s time was spent taking down a huge child porn ring and taking down botnets, so they are not actually included in the 2010 stats. They are laser focused on high value targets, and don’t investigate a large volume of cases.
  • Top3 remain the same, just shuffle places (Fin was 1 st last year, then hosp, then retail). Have to keep in mind that the 2009 dataset was only 141 breaches. So, while Government sector is the same 4% of the total as it was in 2009, the number of breaches there actually quadrupled from 6 to 27.
  • Again, dataset size is deceiving here. While the percentage of breaches overwhelmingly seemed to target SMBs, the number of breaches by companies of 1000+ employees still doubled since last year. This graph actually trends closely with the size of businesses in the United States overall.
  • Only 3 partner-related incidents this year. 1 was a deliberate act, 2 were unintentional. Our long-fought battle with malicious insiders is finally won, right? Not so fast.
  • While the percentage of insider breaches was down, the actual number of incidents doubled. Decline in partner-contributing breaches appear to be genuine, which is a good thing.
  • Eastern Europe was still top dog in last year’s report, but only by a margin of 21% to USA’s 19%. Shows marked rise in criminal groups based in Eastern Europe.
  • Infection vectors and functionality. Trend continues to focus on exfiltration capabilities and remote access. The 79% exfiltration and 78% backdoor represent huge jumps from last year (32% and 36%, respectively)
  • 18% of malware investigated by Verizon was completely custom, and two-thirds was customized to some degree, mostly to avoid AV detection.
  • Web application vulns fell to 3 rd place, from it’s traditional 1 st place spot, but if you take out the hosp and retail verticals, web applications are back on top and more prevalent than ever.
  • Wait – IN PERSON?? Email was the favorite MO last year, but criminals have gotten personal it seems
  • Skimming operations are becoming more organized and sophisticated. Sprees can target 50-100 businesses at a time
  • Remote access channels are increasingly a favorite target. With the proliferation of cloud-type offerings like GoToMyPC, do you really know what remote access capabilities you have in your environment? Data exfiltration continues to be the primary goal of most intruders.
  • Log management: reducing time to discovery is critical in limiting the damage intruders can inflict on your organization.
  • Many companies don’t know what to do when they suspect a problem. Users clicking on hostile attachments is still a problem (see: RSA). Don’t neglect educating employees on social engineering tactics that involve a personal contact.
  • Know Your Enemy: Verizon Data Breach Report

    1. 1. Verizon Data Breach Report “Know Your Enemy” Edition Originally prepared for InfraGard Honolulu Chapter May 3, 2011 Beau Monday, CISSP GSEC Information Security Officer @ HawaiianTel
    2. 2. Disclosures <ul><li>Hawaiian Telcom was a subsidiary of Verizon at one point, but was sold to private investors in 2005. </li></ul><ul><li>This review focuses primarily on the threat side of the equation. </li></ul>
    3. 3. History <ul><li>4 th year of public releases </li></ul><ul><ul><li>Starting in 2008 </li></ul></ul><ul><ul><li>6 total reports (mid-year supplementals in 2008 and 2009) </li></ul></ul><ul><li>Dataset now contains: </li></ul><ul><ul><li>7 years of data </li></ul></ul><ul><ul><li>1700+ breaches </li></ul></ul><ul><ul><li>900M compromised records </li></ul></ul>
    4. 4. Data Sources <ul><li>Verizon Caseload (94 breaches in 2010) </li></ul><ul><ul><li>Only cases where Verizon was directly engaged as an investigator and a breach was confirmed </li></ul></ul><ul><li>US Secret Service (667 breaches in 2010) </li></ul><ul><ul><li>Verizon reviewed USSS’ caseload and only included cases that matched Verizon’s criteria for a breach </li></ul></ul><ul><ul><li>If Verizon and USSS both worked on an individual case, Verizon’s data was referenced for the report </li></ul></ul><ul><li>Dutch National High-Tech Crime Unit (30 cases spanning several years) </li></ul>
    5. 5. Things to keep in mind <ul><li>The addition of the USSS and Dutch NHTCU data has nearly doubled the size of the dataset from last year </li></ul><ul><li>Comparing year-to-year data can be challenging as a result (as you will see) </li></ul>
    6. 6. Demographics – by Sector
    7. 7. Demographics – by Org Size <ul><li>Large companies catching a break? </li></ul><ul><li>Shift towards SMBs? </li></ul>
    8. 8. Threat Agents <ul><li>Attacks via partners down from 10% to <1% (!) </li></ul><ul><li>Attacks via insiders down from 48% to 17% (!) </li></ul>
    9. 9. Threat Agent Trends <ul><li>Insider threats have declined, but not by as much as the first graph indicated </li></ul>
    10. 10. Who are the (external) bad guys? <ul><li>Eastern Europe takes a commanding lead </li></ul>
    11. 11. Who are the (internal) bad guys? <ul><li>Quite a jump in regular users (was 51% last year) </li></ul><ul><li>% of breaches involving Finance staff doubled </li></ul><ul><li>% of breaches involving executives increased from 7% to 11% </li></ul>
    12. 12. Threat Categories <ul><li>Malware was %1 last year, but dropped to 4 th in 2010 </li></ul><ul><li>Physical doubled as a % of breaches </li></ul>
    13. 13. Malware
    14. 14. Malware Customization
    15. 15. Hacking Methodologies
    16. 16. Attack Pathways
    17. 17. Social Engineering Trends <ul><li>11% of breaches employed some level of social engineering (down from 28% last year) </li></ul>
    18. 18. Physical Attacks <ul><li>Physical attacks are twice as prevalent versus last year </li></ul><ul><li>ATM and Gas Pump skimmers represent the bulk of this increase </li></ul>
    19. 19. Recommendations <ul><li>Overall: “Achieve essential, then worry about excellent” </li></ul>
    20. 20. Recommendations (cont.) <ul><li>Access Controls </li></ul><ul><ul><li>Change default creds </li></ul></ul><ul><ul><li>Review user accounts often </li></ul></ul><ul><ul><li>Restrict and monitor privileged accounts </li></ul></ul><ul><li>Network Management </li></ul><ul><ul><li>(Catalog and) Secure Remote Access Services </li></ul></ul><ul><ul><li>Monitor and filter egress traffic </li></ul></ul>
    21. 21. Recommendations (cont.) <ul><li>Secure Development </li></ul><ul><ul><li>Application testing and code review </li></ul></ul><ul><li>Log Management and Analysis </li></ul><ul><ul><li>Enable application and network logs (and monitor them) </li></ul></ul><ul><ul><li>Define “anomalous” and then look for it </li></ul></ul><ul><ul><li>Try to achieve real-time log monitoring/alerting </li></ul></ul>
    22. 22. Recommendations (cont.) <ul><li>Incident Management </li></ul><ul><ul><li>Create an Incident Response Plan </li></ul></ul><ul><ul><li>Engage in mock incident drills </li></ul></ul><ul><li>Training and Awareness </li></ul><ul><ul><li>Increase awareness of social engineering </li></ul></ul><ul><ul><li>Train employees to look for signs of tampering and fraud </li></ul></ul>
    23. 23. References & Contact Info <ul><li>References: </li></ul><ul><ul><li>Verizon Data Breach Investigations Report 2011: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf </li></ul></ul><ul><ul><li>Verizon DBIR 2011 – Metrics, Interpretations and Action Plans: http://www.dman.com/verizon-data-breach-investigations-report-2011/ </li></ul></ul><ul><li>Contact me: [email_address] </li></ul>

    ×