At the end of March, Verizon published their 2012 Data Breach Investigations Report. Again it is packed full of useful, well-presented, data.
The report shows that many breaches are the results of more than one threat action (malware, hacking, social, misuse, physical, error and environmental). However, hacking accounted for 81% (58% for larger organisations with over 1,000 employees) of breaches and 99% of data records (same for larger organisations), and as the chart above (Figure 22) shows remote access/desktop services was the most common hacking vector, followed by backdoor or control channel, and thirdly web applications.
Figures 32 and 33 provide some great data on the scale of records lost for different varieties of data (authentication credentials, bank data, classified, copyright, medical information, organisation data, payment card data, personal data, systems information, trade secrets). From these we can get a feel for the average size of a breach for each data type. Unsurprisingly the number of records lost per "trade secret" event is about 1. For personal data it is around 2 million.
The data on timespan of events by percent of breaches (Figure 40) continues to show the short time from initial attack to initial compromise and initial compromise to data exfiltration (both in minutes), the long average time to discovery (several weeks), and from then until containment/restoration (weeks).
There is perhaps too much emphasis on counts of records lost, but of course this is a "data breach" report. The report states that it makes "no claim that the findings of this report are representative of all data breaches in all organizations at all times ". There is clearly a heavy bias to retailers (e.g. type of staff roles, recommendations referencing point of sale), and thus those organisations within scope of standards from the Payment Card Industry Security Standards Council (PCI SSC). However, data was gathered not only from Verizon but also from Australian Federal Police, the Dutch National High Tech Crime Unit, the Irish Reporting and Information Security Service, the UK's Police Central e-Crime Unit, and the United States Secret Service. So it is not just Verizon's paying clients.
Remember, you don't need to lose data to have an incident or a loss. I'd like to see reports titled:
- 2012 Attacks Without Data Loss Investigations Report
- 2012 Data Alteration and Destruction Report
- 2012 Breachless Fraud & Misuse Report
- 2012 Undetected Incidents Report
- 2012 Service Unavailability Investigations Report
- 2012 Reputation, Risk and Resolve
We have that data, yes? Oh, ...maybe not.