I’m back from the last ISSA-Be meeting held in the Verizon offices in Leuven. Today’s topic was “Cybercrime: The actors, their actions, and what theyâ€™re after“. The speaker was Matthijs van der Wel, EMEA, manager of Verizon Business’ Forensics practice, who contributed to the Data Breach Investigation Report.
The talk was divided in two parts. In the first one, Matthijs reviewed the 2009 edition of the report. This is an annual document released by the Verizon Forensic Team. They analyze thousands of security breaches and compute some statistics. This document is a must read but, honestly, tons of numbers and graphs must be digested. Tonight, Matthijs reviewed some of them and gave nice example to illustrate some numbers. I already met him in Amsterdam last year during an (ISC)2 event. For those who are interested, the 2010 edition is almost done and will be released in June.
First the report is based on “security breaches”, such incident occurs when:
- It is confirmed
- Data have been stolen
- And data have been abused!
The last point is important: If a laptop with critical data is stolen but the robber just reformat the drive to sell it on eBay, this is not considered as a security breach. Second important point: a specific incident can be critical for an organization while the same will be irrelevant for another one. Matthijs reviewed some example of classic security breaches (lot of them are due to stupid things, hÃ©las!). He also explained why the online criminality is growing so quickly by comparing a bank robber and a hacker. The robber must come to the bank with a gun, point it to somebody and ask some money. If he’s lucky the Police will just arrest him or shoot him first. At the opposite, cyber criminality does not expose directly the bad guy. He can operate from home and evidences are very difficult to collect (he will jump onto several hosts located in several countries. It’s a nightmare for forensic investigators.
After a short break, the second part of the talk was about “forensics in the cloud”. A huge topic! 😉 Things must be clear: it’s almost impossible to perform investigation in the cloud. The main issues are:
- We don’t know where are located the data
- If it’s possible to access a backup?
- How to access the logs?
- How long are they kept?
- Which events are logged?
- In which format are stored the data?
The conclusions is simple: don’t put sensitive business in the cloud. If you need to keep the control, keep your data with you! One important remark from Matthijs about the data: It’s important to communicate in case of security breach but it’s also important to communicate before: Know your data! Know which data are collected from your customers or partners and tell them how you manage them.
Besides the talk, I meet the regular people and also new faces!
Note: The next OWASP Belgium Chapter meeting is scheduled on 1st of June and will cover the Belgian eID.