There’s been a lot of discussion over the last week about the seemingly positive results issued in the recently published 2010 Verizon Data Breach Investigations Report.
Unlike previous years, which saw tremendous growth in the sheer volume of electronic breaches and the numbers of records being misappropriated via those events, the 2010 iteration of the influential paper – which now includes data provided by the U.S. Secret Service added to Verizon’s own information – tracked the loss of only 143 million records in 2009, versus the 285 million records stolen during 2008 (or more than 361 million records when you combine both Verizon and the Secret Service’s ‘08 figures).
That’s significant, and a major improvement by any estimation, but my first thought is that if these numbers are to be trusted – and I do trust them as much as any other “independent” stats of their ilk – what I feel they likely point to is an improvement among organizations in stopping larger numbers of simpler, widespread attacks (such as common forms of spyware) while they are still falling prey to more targeted, complex campaigns.
What’s my rationale for bucking the many positive assumptions that could be made based on Verizon’s findings? Being focused primarily on the government sphere, it’s hard to forget some other shocking numbers we’ve seen of late. Namely, we’ve already been told in 2010 that there has been a 200 percent increase in intrusions into U.S. government networks (by the U.S. General Accountability Office) over the last year alone, and that 73 percent of those incidents existed for over 9 months before being discovered (per the White House Office of Management and Budget).
So, while it’s very encouraging to see that the stronger security controls and policies that we’ve been putting into place for the last few years appear to finally be having some positive effect, it’s hard for me to believe that the reported statistical improvements illustrate that the underlying challenges that we face related to cyber-crime are truly being addressed.
For instance, Verizon makes the leap that a slowdown in attacks after the indictment of TJX hacker Albert Gonzalez may be directly traceable to increased concern on the part of attackers over being caught and prosecuted; but with so many attacks coming from overseas, and Gonzalez’ own international partners in crime still at large, can we really believe that criminals around the globe are actively becoming more worried?
The Devil Inside
Also, consider that Verizon reports that while 70 percent of all breaches were carried out via external agents, the number of cases that involved insiders rose to 48 percent, an increase of 26 percent over the previous year. This seems to mean (backed Verizon’s own conclusions) that the organized criminals and government entities who are at the top of the food chain are becoming more successful at finding people with some level of security privilege who are willing to carry out misdeeds against their employers, or even their own governments.
It’s imperative that we all respect the reality in the growth of internal threats, because as we’ve learned in many other areas of crime or espionage, ultimately it is the privileged insider who represents the most unpredictable, dangerous and hard-to-find point of risk. If research tells us that more attacks are being stopped at the door, how valuable is that improvement long-term if more privileged insiders, with direct access to certain assets, are actively being compromised?
Also, we have to consider that the most advanced hacker crews are increasingly leveraging compromised devices and applications as beachheads for attacks against networks from within. In recent years this “digital insider” phenomenon has metastasized as the widespread compromise of financial and government systems abounds.
So while the number of breaches and records as presented by Verizon may seem to have fallen, how frequently are technically savvy attackers capable of getting a foot in the door and pivoting to precisely where they want to be to make off with the specific records they seek? Again, that’s a statistic that would be hard to achieve feasibly, but we know based on other pervasive intelligence that this is exactly what’s been going on. This is how the aeronautics for the President’s personal aircraft end up located on a server discovered in the Middle East.
Our lack of appreciation for the sophistication and organization of our adversaries is the real issue here. We must be able to conduct attack path mapping from the perspective of a digital insider in order to combat the advanced persistent threat – which is most often not a disgruntled employee, but rather a compromised service and/or device. Intrusion suppression is the new name of the game.
Quite simply I feel that it’s fair to assess that the worst of our adversaries is likely continuing on with business as usual while the low end of the market is where attackers are finally seeing more crudely devised threats get stopped, as evidenced by the Verizon report.
It’s not to say that there aren’t things to be optimistic about in the paper, which concludes that “criminals are not hopelessly ahead in this game.” I just feel that any positive assumptions that can be made also point to some of our biggest weaknesses, with Verizon finding that organizations “remain sluggish” in detecting and responding to incidents and that most breaches (61 percent) are discovered by external parties and only then after a considerable amount of time.
At the end of the day any progress in this fight is good progress, but there’s still a long way to go.
-Tom Kellermann, Vice President of Security Awareness