In a way, the annual Verizon Data Breach reports have become a must read when it comes to analyzing the latest trends associated with data breaches. This years report had more meat and gained additional weight when the United States Secret Service (USSS) collaborated with the Verizon Business RISK team to create the report.
Critical Threats
- 2009 saw a reduction in the number of disclosed breaches compared to previous years. A reason could be that the market is flooded with records from previous years and the bad guys are simply playing the supply & demand game. Breach laws and better law enforcement effectiveness could also be reasons.
- External attackers still constitute a bigger threat (45% of all breaches & 138 million records stolen) when compared to insiders (27% of all breaches & only 2.6 million records stolen)
- Majority of the data breaches are initiated and driven largely by organized groups
- Weak or stolen credentials, SQL Injection and customized malware continue to plague organizations trying to protect information assets
- Attackers know most users have excessive rights and they exploit this excess privileges. Monitoring of user access by employers also remains a concern.
- Cases involving social engineering more than doubled. Physical security also remains an issue
- A whopping 96% of the breaches could have been avoid by implementing simple or intermediate security controls
Do not worry list
- Everyone wants to talk about the Advanced Persistent Threats (APTs) post the Google breach incident in China. The report indicates that this threat level is the same. APTs are not the source of all malware infections or suspicious traffic on your networks. Work away from the hype and spend your security dollars elsewhere for greater defense in depth.
Statistics & other metrics
- Financial services industry (33%) and Hospitality (23%) represent the largest groups who were breached. Hardly surprising where financial groups process a lot of customer related personal and financial information. One group Heathcare (only 3%) is surprising but I am sure would grow in the coming years with the growing value of HIPAA related data.