In my two most recent columns, I've been looking at the Verizon Business RISK Team's valuable analysis of four years of data on security breaches among their clients, entitled "2008 Data Breach Investigations Report." Today I'll look at the research findings concerning breach size and source.
In my two most recent columns (Part 1 and Part 2), I've been looking at the Verizon Business RISK Team's valuable analysis of four years of data on security breaches among their clients entitled "2008 Data Breach Investigations Report." Today I'll look at the research findings concerning breach size and source.
The most interesting aspect of the data is that “The median size (as measured in the number of compromised records) for an insider breach exceeded that of an outsider by more than 10 to one. Likewise, incidents involving partners tend to be substantially larger than those caused by external sources.”
I was pleased to see the authors using the median, not the mean, of the number of records compromised; most of the reports published in our field erroneously use means (arithmetic averages) even though the variables have drastically skewed (asymmetric) frequency distributions that make those averages much less useful than for symmetric distributions.
When the authors corrected for the number of cases involving external sources, internal sources, and partners, the numbers of records likely to be involved in a breach showed that “partners represent the greatest risk for data compromise, followed closely by insiders.” These observations support “the principle that privileged parties are able to do more damage to the organization than outsiders.”
Using as much information as they could bring together on the IP addresses of external attacks, the Verizon team found that the geographic distribution of attack origins looked like this (some of these numbers are not shown in the report but were supplied by author Wade Baker for this article):
• Europe-East: 24%
• Americas-North: 23%
• Asia-South/Southeast: 14%
• Asia-East: 12%
• Asia-North/Central (incl. Russia): 9%
• Europe-West/South: 9%
• Middle East: 5%
• Americas-South: 3%
• Africa: 1%
• Europe-North (Scandinavia): 0%
• Oceania (Austrialia/NZ): 0%
• Americas-Central: 0%
So, more than 80% of the estimated attack-sources are from Eastern Europe, North America, and Asia. These results surprised me, since I have fallen into the habit of thinking of China as the No. 1 source of threats to information security today; I have to correct my impressions and be more careful in my teaching, lecturing and writing.
On the insider front, the analysts found that half the insider attacks involved IT administrators, and about 41% involved other non-executive employees. These results are consistent with the long-held view that privileged insiders must be selected with care and consistently monitored as part of any effective security program.
Many breaches in the data set involved breaches mediated through weaknesses in partner systems:
“Partner-side information assets and connections were compromised and used by an external entity to attack the victim’s systems in 57% of breaches involving a business partner. Though not a willing accomplice, the partner’s lax security practices - often outside the victim’s control - undeniably allow such attacks to take place. Exacerbating this situation, the victim organization frequently lacks measures to provide accountability for partner-facing systems. This contributed to the 21 percent of breaches in which partner involvement was evident but specific persons were not identified.”
These findings on attacks via compromised partner systems support the view that it makes sense to insist on external security audits of partner organizations before establishing and while maintaining extended business relationships involving electronic data interchange. Consult your attorneys to discuss their views on due diligence in executing fiduciary responsibility to corporate stakeholders.
In the next and final article in this series based on the Verizon report, I will look at the findings on attack vectors.