© 2010 Verizon. All Rights Reserved. PTE14626 07/10

2011 DBIR

Data Breach Investigations Report series

http://verizonbusiness.com/databreachhttp://securityblog.verizonbusiness.com

2011 DBIR Contributors

VerizonUnited StatesSecret Service

Dutch National High Tech Crime Unit

Methodology: Collection and Analysis

• VERIS framework used to collect data after investigation

• Aggregate and anonymize the case data

• RISK Intelligence team provides analytics

• 630 threat events

VERIS: https://verisframework.wiki.zoho.com/

Overview – What’s New?

• Over 750 new breaches studied since the last report– Total for all years = 1700+

• Just under 4 million records confirmed compromised– Total for all years = 900+ million

• Euro-centric appendix from Dutch HTCU

??

Agents: Whose Actions Affected the Asset?

Agents: Who were the External Agents?

Agents: Who were the Internal Agents?

Actions: What Actions Affected the Asset?

Malware – What was the Infection Vector?

Malware – What was its Functionality?

Malware – How Often was it Customized?

Hacking – What was the Type Used?

Hacking – What Path did the Agent Take?

Patchable vulnerabilities: 5

Which Assets were Affected?

Which Assets were Affected?

Which Data Types were Affected?

How Difficult were these Attacks?

How Long to Compromise, Discovery & Containment?

How did the Victim Discover the Breach?

Wrapping up

Wrapping up

Conclusions & recommendations

Focus on essential controls.Focus on essential controls. Many organisations make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.

Eliminate unnecessary data.Eliminate unnecessary data. If you do not need it, do not keep it. For sensitive data that must be kept, identify, monitor and securely store it.

Secure remote access services.Secure remote access services. Restrict these services to specific IP addresses and networks, minimising public access to them. Also, ensure that your organisation is limiting access to sensitive information within the network.

Filter outbound activity.Filter outbound activity. If the criminal cannot get the data out of your environment then the data has not been compromised.

Monitor and mine event logs.Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the records. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.

Look for unusual location.Look for unusual location. Criminals do not tend to attack from the same location as your usual business partner and staff traffic.

DBIR: www.verizonbusiness.com/databreachVERIS: https://verisframework.wiki.zoho.com/Blog: securityblog.verizonbusiness.comEmail: dbir@verizonbusiness.com