Criminal gangs are targeting smaller organisations because they are seen as softer targets, according to the findings of the 2011 Verizon Data Breach Investigations Report. This means that, although there have been far fewer records stolen, the number of breach incidents is increasing.
A lot of these smaller organisations don’t have the expertise and resources to do what is necessary to defend themselves.
Chris Porter, senior risk analyst, Verizon
For the last three years, Verizon has produced an analysis of genuine investigations it has undertaken following data breaches. Its results have been complemented by similar information from the US Secret Service (USSS), and, this year, it includes figures provided by the Netherlands HiTech Crime Unit.
From 2008 and 2009 -- the first two years of the report -- the number of records compromised dropped from 361 million to 144 million. But, in 2010, the period covered in the new report, the number plummeted to 3.8 million.
At the same time, the combined number of cases handled by Verizon and USSS rose from 141 in 2009 to 761 in 2010. The Dutch figures bring the total to around 800.
Chris Porter, a senior risk analyst at Verizon, said several factors may have influenced the sharp trend, including the arrest and capture of some high-profile hackers, such as Albert Gonzalez, the man imprisoned last year for the data breach at US retailer TJX. Another factor could be that the vast supply of stolen credit card details has depressed the resale price and made the trade less profitable.
“The folks that were responsible for some of the mega breaches of recent years are all behind bars, and those that aren’t are scrambling from law enforcement right now,” Porter said. “Criminals are moving to smaller, less risky heists. But with that lower risk, they get a lower yield.”
However, criminals have developed new ways of maintaining their profits, Porter said. One innovation is the introduction of more industrialised methods to generate attacks. “Certain criminal organisations have created a workflow process to allow them to target a lot of different organisations using the same hack methods,” he said. “They have built economies of scale into their attacks. That’s something we’ve not seen a lot of previously.”
He said that certain criminal organisations were able to compromise up to 150 different victim companies at a time.
When targeting smaller companies, criminals can still rely on tried and tested methods for breaching systems, however, such as the exploitation of backdoors, or of default or guessable credentials. “A lot of these smaller organisations don’t have the expertise and resources to do what is necessary to defend themselves,” Porter said.
While payment card data is still the prime target of criminals, and accounts for 96% of all records compromised, the report notes an increase in the theft of sensitive information, intellectual property and classified data. “The number of breaches involving such data has never been higher in our caseload,” the report says, adding that many thefts may go undiscovered, because, unlike for financial data, there is no third-party fraud detection mechanism.
But the report concludes that much crime could be prevented if organisations took the most basic steps to protect their information. “Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks,” it says. “For the most part, we know them well enough and we also know how to stop them.”
Among the recommendations of the Verizon data breach report 2011 edition (.pdf) is that companies carry out proper application testing. “SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion,” it says. “It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit?”