ISSA Belgium Chapter Review of the Verizon DBIR

Verizon DBIR 2011 I’m just back from the last ISSA Belgium event organized tonight at Verizon premises. Wade Baker, director of risk intelligence for Verizon and creator, author and primary analyst for Verizon’s DBIR series, presented the analysis, findings and recommendations of the 2011 version of Verizon’s DBIR. If you are an infosec professional, for sure (well I hope ;-)) you know what’s behind this acronym. It means: “Data Breaches Investigations Report“. To resume very briefly, this document explains how sensitive data is stolen, by who and how. Today, most organizations want to have answers on the following questions: “Are we secure?” and “How to prove that we are secure?” (both must be answered with a limited resources and available date).

Wade started his presentation by defining some terms like “uncertainty” and “equivocality“. One of the DBIR goals is to reduce the uncertainty and equivocality. I noted his remark about the answers make by people about what they consider as “greatest threats“? Not all of their answers are threats. Example: a huge database.

Then, Wade explained how the study was conducted. It is based on the VERIS framework (“Verizon Enterprise Risk and Incident Sharing“). VERIS is a set of metrics designed to build a common language to describe security incidents. An incident is “a chain of events” and every event is composed of the following elements:

  • An agent: Whose actions affected the asset
  • An action: What actions affected the asset
  • An asset: Which assets were affected
  • An attribute: How the asset was affected

More information about this framework is available here.

The rest of the presentation was a review of all the document with Wade’s comments. What I remembered:

  • 750 new breaches in the 2011 edition (total for all y: 1700+) and 4M confirmed compromised records (total: 900+M).
  • The report is based on three sources: Verizon, US Secret Services and NHTCU in Holland. The statistics show big differences between US and Europe. One explanation is the US law which forces organizations to disclose the data breaches.
  • There is a drop in data loss breaches. No real explanation but maybe a decrease of data prices on the black market.
  • The top-3 types of organizations which suffered of data breaches are: hospitality, retail and financial services.
  • Top-3 attack types are: hacking, malware and physical.
  • The most common malware infection is the injection by the remote attacker. Strange the value of infection by “drive-by download” remains very low.
  • Top-3 actions performed by malware: To send data to an external site, to install backdoor and key-loggers and to disable or interfere with security controls.
  • They are more and more customized malware (custom created, code modification or simply repacked).
  • The top-3 hacking techniques used are: the exploitation of a backdoor or control channel, the usage of default or guessable credentials and bruteforce or dictionary attacks. In this case, the techniques used are directly related to the target! Example: Systems installed in retail organizations are more vulnerable to default password attacks.
  • To conduct attacks, the pathways are preferably: a remote access tool, a backdoor or a web application.
  • An interesting remark about the mobile devices: While Verizon acknowledge the growth of mobile computing and the increasing attractiveness of the platform to potential threats. It is not proven that such devices are the source of data breaches!
  • Same kind of remarks about the virtual environment. Yes, they are targeted by attackers but not because they are virtual. Just because they process data like a regular server.
  • Verizon tried also to categorize how difficult were the attacks: high / moderate / low. In this case, from my point of view, this is an non-objective analyze. Some attacks might be considered as “Low” by skilled-people and as “High” by newbies.
  • Finally, how did the victim discovered the breaches: Top-3 is: By a 3rd party fraud detection system, notified by law enforcement and reported by a customer or partner.

About this last point, IDS detected the breach in less than 1% and no incident was detected by a proper log review mechanism. I asked Wave if it was due to a lack of log management process or a badly implemented solution. For him, it’s just because most organization still today do not take care of their logs! Why I’m not surprised?

DBIR Presentation @ Verizon
(Click to enlarge)

Some relevant questions were asked by the audience: First, the report does not take into account the value of a stolen record. Example: one credit-card number does not have the same value as a formula stolen from a pharmaceutic company. Second,  is it due to the VERIS framework which try to categorize all incidents in different classes but lot of percentages given in the presentation did not make a total of 100%. Strange.

The complete report is a huge document of 74 pages which is not easy to read. That was a nice initiative from ISSA to invite Wave to discuss about this topic. It was completely reviewed in two hours. The whole document is not easy to read and compiles lot of numbers organized in tables, bar-graphs and pie-charts. But it contains useful facts that must be understood by your internal organization or customers.

One of the conclusions I liked: “If done consistently, the basic security is enough in most cases“. Most of the incident are still today due to stupid mistakes. Do I need to give the Sony story as a good bad example?

Small gift, a printed version was available for everybody. The electronic version is available here.

Leave a Reply

Your email address will not be published. Required fields are marked *