17 April 2012

Data Breach Investigations Report 2012

At the end of March, Verizon published their 2012 Data Breach Investigations Report. Again it is packed full of useful, well-presented, data.

Figure 22 - Hacking vectors by percent of breaches within hacking - from the report '' indicating how web applications remain the third most common attack vector overall

The report shows that many breaches are the results of more than one threat action (malware, hacking, social, misuse, physical, error and environmental). However, hacking accounted for 81% (58% for larger organisations with over 1,000 employees) of breaches and 99% of data records (same for larger organisations), and as the chart above (Figure 22) shows remote access/desktop services was the most common hacking vector, followed by backdoor or control channel, and thirdly web applications.

Figures 32 and 33 provide some great data on the scale of records lost for different varieties of data (authentication credentials, bank data, classified, copyright, medical information, organisation data, payment card data, personal data, systems information, trade secrets). From these we can get a feel for the average size of a breach for each data type. Unsurprisingly the number of records lost per "trade secret" event is about 1. For personal data it is around 2 million.

The data on timespan of events by percent of breaches (Figure 40) continues to show the short time from initial attack to initial compromise and initial compromise to data exfiltration (both in minutes), the long average time to discovery (several weeks), and from then until containment/restoration (weeks).

There is perhaps too much emphasis on counts of records lost, but of course this is a "data breach" report. The report states that it makes "no claim that the findings of this report are representative of all data breaches in all organizations at all times ". There is clearly a heavy bias to retailers (e.g. type of staff roles, recommendations referencing point of sale), and thus those organisations within scope of standards from the Payment Card Industry Security Standards Council (PCI SSC). However, data was gathered not only from Verizon but also from Australian Federal Police, the Dutch National High Tech Crime Unit, the Irish Reporting and Information Security Service, the UK's Police Central e-Crime Unit, and the United States Secret Service. So it is not just Verizon's paying clients.

Remember, you don't need to lose data to have an incident or a loss. I'd like to see reports titled:

  • 2012 Attacks Without Data Loss Investigations Report
  • 2012 Data Alteration and Destruction Report
  • 2012 Breachless Fraud & Misuse Report
  • 2012 Undetected Incidents Report
  • 2012 Service Unavailability Investigations Report
  • 2012 Reputation, Risk and Resolve

We have that data, yes? Oh, ...maybe not.

Posted on: 17 April 2012 at 19:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Data Breach Investigations Report 2012
http://www.clerkendweller.com/2012/4/17/Data-Breach-Investigations-Report-2012
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2012/4/17/Data-Breach-Investigations-Report-2012
Requested by 107.21.186.38 on Saturday, 25 May 2013 at 21:08 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2012-2013 clerkendweller.com