[PDF]

2012 Data Breach Investigations Report PDF Free Download

1 / 51
1 views51 pages

2012 Data Breach Investigations Report PDF Free Download

2012 Data Breach Investigations Report PDF free Download. Think more deeply and widely.

A study conducted by the Verizon RISK Team with
cooperation from the Australian Federal Police,
Dutch National High Tech Crime Unit, Irish Reporting
& Information Security Service, Police Central
e-Crime Unit of the London Metropolitan Police,
and United States Secret Service.
2012 Data Breach
Investigations Report
Brian Grayek CISSP, ITILv3
SW US Area Manager - Terremark
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3
Data Breach Investigations Report (DBIR) Series
An ongoing study into the world of
cybercrime that analyzes forensic
evidence to uncover how sensitive
data is stolen from organizations,
whos doing it, why theyre doing it,
and, of course, what might be done
to prevent it.
--
Available at: www.verizon.com/enterprise/databreach
Updates/Commentary:
http://www.verizon.com/enterprise/securityblog
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4
Hold on… Wha???
Why is my telco investigating breaches?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5
Enterprise Solutions to Meet
Business Imperatives
IT Services Security Services Communications
Services Networking
Services Mobility
Cloud-based Services
Data Center Services
Managed Applications
Managed IT
Equipment and
Services
Professional Services
Government, Risk and
Compliance
Identity and Access
Management
Managed Security
Equipment and
Services
ICSA Labs
Professional Services
Contact Center
Services
Unified
Communications
Video, Web and Audio
Conferencing
Traditional Voice
Emergency
Communications
Services
Equipment and
Services
Professional Services
Internet
Private WAN
Private Point to Point
Access Services
Managed Networks
Equipment and
Services
Professional Services
Advanced
Communications
Applications and
Content
Global
Communications
Hardware
Mobile Data
Voice and Messaging
Professional Services
RISK Team
falls here
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6
2012 DBIR Contributors
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7
Methodology: Data Collection and Analysis
DBIR participants use the
Verizon Enterprise Risk and
Incident Sharing (VERIS)
framework to collect and
share data.
Enables case data to be
shared anonymously to
RISK Team for analysis
VERIS is a (open and free) set of metrics designed to provide a
common language for describing security incidents (or threats) in a
structured and repeatable manner.
VERIS: https://verisframework.wiki.zoho.com/
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8
An overview of our results and analysis
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10
Threat Agents
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11
Threat Agents: Larger Orgs
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12
Threat Agents
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13
Threat Agents: External
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14
Threat Actions
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15
Threat Actions: Larger Orgs
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16
Top Threat Actions
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17
Top Threat Actions: Larger Orgs
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18
Compromised Assets
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 19
Most Compromised Assets
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 20
Compromised Assets: IP & classified data
98%
0%
7%
41%
46%
Servers
Networks
User Devices
Offline Data
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21
Asset Ownership, Hosting, and Management
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22
Compromised Data
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 23
Compromised Data
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24
Attack Difficulty
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25
Attack Targeting
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26
The 3-Day Workweek
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 27
Timespan of Events
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28
Timespan of Events: Larger Orgs
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29
Breach Discovery
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 30
Breach Discovery
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31
PCI DSS Compliance
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 32
An overview of Recommendations
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33
Recommendations: Smaller Orgs
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 34
Recommendations: Larger Orgs
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 35
Strategy/Assessment
Business Case Analysis,
Roadmap and Policy
Review, Data Protection
Strategy, Product
Evaluation
Data Discovery and
Classification DDISC,
Information Classification
Data Loss Prevention DLP
Maturity, DLP
Operationalization, DLP
Health Check, DLP
Management Encryption/Key Management PKI Roadmaps
and Deployment, File/Folder and Full Disk, Email
and Messaging, Application and Platform
Specific (i.e. Oracle)
Data Protection
Post Leak Management
Rights Management,
Mobile Device Remote Kill
“Eliminate unnecessary data; keep tabs on what’s left”
Verizon Solutions:
Larger Orgs
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 36
Verizon Solutions:
Larger Orgs (cont’d)
“Ensure essential controls are met; regularly check that they
remain so”:
Managed Security Services
Identity & Access Management
Vulnerability Management
Professional Services
Business Security Assessment
Information Assurance (IA) Management Action Plans
Security Management Program
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 37
Recommendations and Solutions:
Larger Orgs (cont’d)
“Monitor and mine event logs”:
Managed Security Services
Application log monitoring and management service
Managed network and security services for remote monitoring and management of
devices (e.g., firewalls, VPNs)
Network and host intrusion detection/prevention systems
Gateway anti-virus systems, proxy and content screening systems
Identity & Access Management
Log Analysis Tools
Professional Services
Identification of critical log sources
Defining security requirements
Customizing a filtering, classification policy
Implementation capabilities including project and technology management, and
configuration (including standardizing log formats before transport to central log server)
On-site installation and staging
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 38
Recommendations and Solutions:
Larger Orgs (cont’d)
“Evaluate your threat landscape to prioritize your treatment strategy”:
Professional Services
Internal and External Network Vulnerability Testing
Penetration Testing
Application Vulnerability Assessment
Security Management Program
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 39
Verizon Solutions
Protect Against the Top 10 Threat Actions:
Hacking: Use of stolen credentials (30% of breaches)
Description
Refers to instances in which an attacker gains access to a protected
system or device using valid but stolen credentials.
Verizon Enterprise Solution
- Identity & Access Management (professional and managed services)
- Security Awareness Training
- Security Management Program
Malware: Backdoors, Command and Control (18% of breaches)
Hacking: Exploitation of backdoor or command and control channel (17% of breaches)
Description
Tools that provide remote access to and/or control of infected systems.
Backdoor and command/control programs bypass normal authentication
mechanisms and other security controls enabled on a system and are
designed to run covertly.
Verizon Enterprise Solution
- Professional Services: Security Policy Review
- Professional Services: Host-build assessment
- Managed Security Services: Host IDS
- Internet Managed Scanning Services
- Data Loss Prevention (strategy, planning, design, implementation &
management)
- Log Monitoring and Management
- Identity and Access Management (professional and managed services)
Physical: Tampering (17% of breaches)
Description
Unauthorized altering or interfering with the normal state or operation of an
asset. Refers to physical forms of tampering rather than, for instance,
altering software or system settings.
Verizon Enterprise Solution
- Security Awareness Training
- Professional Services: Physical Security
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 40
Keylogger/Form-grabber/Spyware (13% of breaches)
Description
Malware that is specifically designed to collect, monitor, and log the actions
of a system user. Typically used to collect usernames and passwords as
part of a larger attack scenario. Also used to capture payment card
information on compromised POS devices. Most run covertly to avoid
alerting the user that their actions are being monitored.
Verizon Enterprise Solution
- Professional Services: Security Policy Review
- Professional Services: Host-build assessment
- Managed Security Services: Host IDS
- Internet Managed Scanning Services
- Identity and Access Management
- Security Management Program
Pretexting (Social Engineering) (12% of breaches)
Description
A social engineering technique in which the attacker invents a scenario to
persuade, manipulate, or trick the target into performing an action or
divulging information. These attacks exploit “bugs in human hardware” and,
unfortunately, there is no patch for this.
Verizon Enterprise Solution
- Professional Services: Social Engineering
- Security Awareness Training
- Security Management Program
Verizon Solutions
Protect Against the Top 10 Threat Actions (cont’d):
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 41
Brute-force attack (8% of breaches)
Description
An automated process of iterating through possible username/password
combinations until one is successful.
Verizon Enterprise Solution
- Identity & Access Management Services
- Professional Services: Encryption and Key Management
- Application Log Monitoring
SQL injection (8% of breaches)
Description
SQL Injection is an attack technique used to exploit how web pages
communicate with back-end databases. An attacker can issue commands
(in the form of specially crafted SQL statements) to a database using input
fields on a website.
Verizon Enterprise Solution
- Application Vulnerability Scanning
- Secure Application Development Training
- Application Security Program
- Professional Services:
- Secure Source Code Review
- Penetration testing
- Application firewall implementation, monitoring & management
- Identity and Access Management
- Database audit technology monitoring & management
Alignment of Recommendations and Solutions
Protect Against the Top 10 Threat Actions:
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 42
Recommendations and Solutions
Protect Against the Top 10 Threat Actions (cont’d):
Unauthorized access via default credentials (43% of breaches with single threat action)
Description
Refers to instances in which an attacker gains access to a system or
device protected by standard preset (and therefore widely known)
usernames and passwords.
Verizon Enterprise Solution
- Identity & Access Management (professional and managed services)
- Partner Security Program
- Security Management Program
- Penetration Testing
Phishing (and endless *ishing variations) (8% of breaches)
Description
A social engineering technique in which an attacker uses fraudulent
electronic communication (usually e-mail) to lure the recipient into divulging
information. Most appear to come from a legitimate entity and contain
authentic-looking content. The attack often incorporates a fraudulent
website component as well as the lure.
Verizon Enterprise Solution
- Internet Managed Scanning Services
- Managed Web-Content Filtering (Websense, etc.)
- Professional Services: Security Policy Review
- Security Management Program
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 43
Measuring and managing information risk
To properly manage risk,
we must measure it.
To properly measure risk,
we must understand our
information assets, the
threats that can harm
them, the impact of such
events, and the controls
that offer protection.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 44
A threat event that is measurable (and thus
manageable) identifies the following 4 As:
Agent: Whose actions affected the asset
Action: What actions affected the asset
Asset: Which assets were affected
Attribute: How the asset was affected
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 45
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 46
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 47
Diagnose Ailments
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 48
Treatment strategy
Policy
People
Process
Technology
Policy
People
Process
Technology
Policy
People
Process
Technology
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 49
EBRM aims to apply the best available
evidence gained from empirical research to
measure and manage information risk.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 50
Data Breach Investigations Report (DBIR) series
= evidence
for measuring and managing risk
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 51
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 52
DBIR: www.verizon.com/enterprise/databreach
VERIS: https://verisframework.wiki.zoho.com/
Blog: http://www.verizon.com/enterprise/securityblog
Email: dbir@verizon.com