Breaches and vectors

When studying data breaches, it is helpful to look at the data from different viewpoints; the initial lenses used were incidents versus records lost.  The incident data are useful in determining the breach vectors that occur most frequently, while the information on the number of records lost provides the scope of the incident and how many people it affected.

Suzanne Widup, MSIA graduated with honors from the MSIA program at Norwich University in 2007. In Part One of this three-article series, she discussed why the data breach study (The Leaking Vault - Five Years of Data Breaches) was conducted, and how information security practitioners can use the data. In this section, she presents some of her key findings about how many breaches there were and how most of them happened.

* * *

When studying data breaches, it is helpful to look at the data from different viewpoints; the initial lenses used were incidents versus records lost. The incident data are useful in determining the breach vectors that occur most frequently, while the information on the number of records lost provides the scope of the incident and how many people it affected. The study covers 2,807 publicly disclosed breach incidents, with over 721.9 million records disclosed. To put this in perspective, organizations lost an average of 388,342 records every day for five years.

The leading vector for number of data breach incidents is the laptop computer. Laptops are frequently used as an individual's primary computer, and they can store a significant amount of confidential data. In the study, missing laptops were stolen 95% of the time (as opposed to being lost), and while the thief may have been targeting the electronics as an easily fenced item, the motivation behind the theft doesn't exempt the organization from having to disclose the breach. 

In the end, the organization has lost control over the data, and the potential is there for its disclosure. A high percentage of the notification letters sent to the data subject victims contained assurances that the organization had no evidence that the data had been used, while touting the protection of requiring a password to access the computer. 

In reality, it is trivial to bypass the password protection control, and testing showed the process took less than 15 minutes and only basic computer skills to accomplish. Entering the terms "bypass windows password" into a search engine yields over 1.8 million results. This finding is an illustration of the need for defense in depth – if the initial control is weak, stronger defenses should be in place in case it fails. In this case, encrypting the data, or better still, preventing confidential data from leaving the organization on a portable device would be examples of additional controls.

For number of records disclosed, the hacking vector led by a wide margin. This vector was responsible for 327 million records, but accounted for only 16% of the incidents. The average records lost per hacking incident was 716,925. In contrast, the laptop vector averaged only 71,749 records lost per incident. When looking at mitigation for this vector, practitioners should look not only at perimeter defenses, but also detective controls. Preventing an incident is the best case scenario, but given the risk, timely detection and containment are essential to reducing the damage to the organization.

Suzanne Widup, MSIA has significant experience in workplace investigation, digital forensics, e-discovery and litigation support. Her background includes 16 years of security and Unix system administration, technical support, and software development. In addition, in what doesn’t sound like much spare time, Suzanne is a certified Graduate Gemologist and a Graduate Jeweler, a certified Precious Metal Clay instructor, and the founder of the Yahoo Silk Painting group.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT