Share
Thanks to organized crime and direct targeting of the financial services industry, there were more electronic records compromised in 2008 than the previous four years combined. This startling fact comes from data in the second annual study published by Verizon Business. The report, released today, is based on data analyzed from 285 million compromised records in 90 confirmed breaches.
285 million records compromised in 2008. Ties to organized crime discovered.(IMG:J.Anderson)
A highlight note from this year’s report is that over 90 percent of the compromised records in 2008 were linked to organized crime. According to Verizon, the big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts.
In 2008, Verizon said it witnessed an explosion of attacks targeting PIN data. The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware, to steal this valuable commodity.
Location is another observation. Verizon’s observations of where the attacks originated from showed high activity in Eastern Europe, East Asia, and North America. The latest report shows these regions accounted for 82 percent of all external attacks.
“Eastern Europe is known as a notorious haven for organized cybercrime outfits, which played a major role in breaches throughout 2008,” said Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions.
“We have a great deal of evidence that malicious activity from Eastern Europe is the work of organized crime,” he said. However, he also added that: “On the bright sight, efforts with law enforcement led to arrests in at least 15 in 2008.”
The methods used by criminals during the breaches are stacked. Most breaches resulted from a combination of events rather than a single action. Verizon’s data says that 64 percent of breaches were attributed to criminals who used a combination of methods. In most successful breaches, 98 percent of them in fact, the attacker exploited a mistake made by the victim, compromised the network, or installed Malware on a system to collect data. The percentage of customized Malware used in these attacks more than doubled in 2008.
Nearly all records compromised in 2008 were from online assets. Despite widespread concern regarding desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications. Unauthorized access via default credentials (usually third-party remote access) and SQL injection (against Web applications) were the top forms of attack.
This leads to the question of compliance law, where Verizon issues another kick to the gut. 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached. However, the 19 percent that were compliant still suffered a breach. Yet, these figures do not support the claim that PCI-DSS has failed or is useless.
“Due to the point-in-time nature of PCI assessments, it is possible that an organization deemed compliant at its last audit may not still be compliant at the time of the breach. Furthermore, PCI compliance is not an absolute guarantee against breaches nor is the assessment process always consistent,” the report outlined.
This year’s Verizon report is similar to last year’s study when considering both the cause and aftermath of the security incidents. Last year, when Verizon looked at the breaches from 2004-2007, it concluded the same thing as when looking at 2008 alone -- namely, almost all of the breaches were avoidable.
In both the 2008 and 2009 report, most of the breaches investigated did not require expensive or complex protections to avoid trouble, just some basic common sense and planning. This year’s report concluded that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach.
The aftermath is the same as well. In each case, the company responsible for protecting the lost data spent more money cleaning up the breach than it would have in working to prevent it in the first place. This is in addition to the lost reputation, and the hit to the bottom line because of lawsuits and fines.
The full report from Verizon Business can be viewed by clicking here.
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story