Rp Data Breach Investigations Report 2012 en Xg
Transcript of Rp Data Breach Investigations Report 2012 en Xg
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
1/92
1
2012 DBIR: EXECUTIVE SUMMARY2011 will almost certainly go down as a year o civil and cultural uprising. Citizens revolted, challenged, and even
overthrew their governments in a domino eect that has since been coined the Arab Spring, though it stretched
beyond a single season. Those disgruntled by what they perceived as the wealth-mongering 1%, occupied Wall
Street along with other cities and venues across the globe. There is no shortage o other examples.
This unrest that so typied 2011 was not, however,
constrained to the physical world. The online world was rie
with the clashing o ideals, taking the orm o activism,
protests, retaliation, and pranks. While these activitiesencompassed more than data breaches (e.g., DDoS attacks),
the thet o corporate and personal inormation was certainly a core tactic. This re-imagined and re-invigorated
specter o hacktivism rose to haunt organizations around the world. Many, troubled by the shadowy nature o its
origins and proclivity to embarrass victims, ound this trend more rightening than other threats, whether real or
imagined. Doubly concerning or many organizations and executives was that target selection by these groups
didnt ollow the logical lines o who has money and/or valuable inormation. Enemies are even scarier when you
cant predict their behavior.
It wasnt all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method
du jour o high-volume, low-risk attacks against weaker targets. Much less requent, but arguably more damaging,
were continued attacks targeting trade secrets, classied inormation, and other intellectual property. We
certainly encountered many aces, varied tactics, and diverse motives in the past year, and in many ways, the 2012
Data Breach Investigations Report (DBIR) is a recounting o the many acets o corporate data thet.
855 incidents, 174 million compromised records.
This year our DBIR includes more incidents, derived rom more contributors, and represents a broader and more
diverse geographical scope. The number o compromised records across these incidents skyrocketed back up to
174 million ater reaching an all-time low (or high, depending on your point o view) in last years report o our
million. In act, 2011 boasts the second-highest data loss total since we started keeping track in 2004.
2012 DATA BREACH
INVESTIGATIONS REPORTA study conducted by the Verizon RISK Team withcooperation rom the Australian Federal Police, DutchNational High Tech Crime Unit, Irish Reporting andInormation Security Service, Police Central e-CrimeUnit, and United States Secret Service.
This re-imagined and re-invigorated
specter o hacktivism rose to haunt
organizations around the world.
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
2/92
2
Once again, we are proud to announce that the United States Secret Service (USSS) and the Dutch National High
Tech Crime Unit (NHTCU) have joined us or this years report. We also welcome the Australian Federal Police (AFP),
the Irish Reporting & Inormation Security Service (IRISS), and the Police Central eCrimes Unit (PCeU) o the
London Metropolitan Police. These organizations have broadened the scope o the DBIR tremendously with regard
to data breaches around the globe. We heartily thank them all or their spirit o cooperation, and sincerely hope this
report serves to increase awareness o cybercrime, as well as our collective ability to ght it.
With the addition o Verizons 2011 caseload and data contributed rom the organizations listed above, the DBIRseries now spans eight years, well over 2000 breaches, and greater than one billion compromised records. Its been
a ascinating and inormative journey, and we are grateul that many o you have chosen to come along or the ride.
As always, our goal is that the data and analysis presented in this report prove helpul to the planning and security
eorts o our readers. We begin with a ew highlights below.
DATA COLLECTIONThe underlying methodology used by Verizon remains relatively unchanged rom previous years. All results are based
on rst-hand evidence collected during paid external orensic investigations conducted by Verizon rom 2004 to
2011. The USSS, NHTCU, AFP, IRISS, and PCeU diered in precisely how they collected data contributed or this
report, but they shared the same basic approach. All leveraged VERIS as the common denominator but used varying
mechanisms or data entry. From the numerous investigations worked by these organizations in 2011, in alignment
with the ocus o the DBIR, the scope was narrowed to only those involving conrmed organizational data breaches.
A BRIEF PRIMER ON VERIS
VERIS is a ramework designed to provide a common language or describing security incidents in a structured and
repeatable manner. It takes the narrative o who did what to what (or whom) with what result and translates it into the
kind o data you see presented in this report. Because many readers asked about the methodology behind the DBIR
and because we hope to acilitate more inormation sharing on security incidents, we have released VERIS or ree
public use. A brie overview o VERIS is available on ourwebsite1 and the complete ramework can be obtained rom
the VERIS community wiki.2 Both are good companion reerences to this report or understanding terminology
and context.
1 http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-ramework_en_xg.pd
2 https://verisramework.wiki.zoho.com/
These organizations have broadened the scope o the DBIR
tremendously with regard to data breaches around the globe.
We heartily thank them all or their spirit o cooperation, and
sincerely hope this report serves to increase awareness o
cybercrime, as well as our collective ability to ght it.
http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttp://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/https://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdf -
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
3/92
3
SUMMARY STATISTICS
WHO IS BEHIND DATA BREACHES?
98% stemmed rom external agents (+6%)No big surprise here; outsiders are still dominating the sceneo corporate data thet. Organized criminals were up to theirtypical misdeeds and were behind the majority o breaches in2011. Activist groups created their air share o misery andmayhem last year as welland they stole more data than anyother group. Their entrance onto the stage also served tochange the landscape somewhat with regard to themotivations behind breaches. While good old-ashionedgreed and avarice were still the prime movers, ideologicaldissent and schadenreude took a more prominent roleacross the caseload. As one might expect with such a rise inexternal attackers, the proportion o insider incidentsdeclined yet again this year to a comparatively scant 4%.
4% implicated internal employees (-13%)
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
4/92
4
WHERE SHOULD MITIGATION EFFORTSBE FOCUSED?
Once again, this study reminds us that our proession has
the necessary tools to get the job done. The challenge orthe good guys lies in selecting the right tools or the job athand and then not letting them get dull and rusty over time.Evidence shows when that happens, the bad guys are quickto take advantage o it.
As youll soon see, we contrast ndings or smaller and largerorganizations throughout this report. You will get a sense orhow very dierent (and in some cases how very similar) theirproblems tend to be. Because o this, it makes sense that thesolutions to these problems are dierent as well. Thus, mosto the recommendations given at the end o this report relateto larger organizations. Its not that were ignoring the smallerguysits just that while modern cybercrime is a plague upontheir house, the antidote is airly simple and almost universal.
Larger organizations exhibit a more diverse set o issues thatmust be addressed through an equally diverse set ocorrective actions. We hope the ndings in this report help toprioritize those eorts, but truly tailoring a treatmentstrategy to your needs requires an inormed and introspectiveassessment o your unique threat landscape.
Smaller organizationsImplement a rewall or ACL on remote access services
Change deault credentials o POS systems and otherInternet-acing devices
I a third party vendor is handling the two items above,make sure theyve actually done them
Larger organizations
Eliminate unnecessary data; keep tabs on whats let
Ensure essential controls are met; regularly check thatthey remain so
Monitor and mine event logs
Evaluate your threat landscape to prioritize yourtreatment strategy
Reer to the conclusion o this report or indicators andmitigators or the most common threats
THREAT EVENT OVERVIEWIn last years DBIR, we presented the VERIS threat event grid populated with requency counts or the rst time.
Other than new data sharing partners, it was one o the most well received eatures o the report. The statistics
throughout this report provide separate analysis o the Agents, Actions, Assets, and Attributes observed, but the
grid presented here ties it all together to show intersections between the 4 As. It gives a single big-picture view o
the threat events associated with data breaches in 2011. Figure 1 (overall dataset) and Figure 2 (larger orgs) use
the structure o Figure 1 rom the Methodology section in the ull report, but replace TE#s with the total number
o breaches in which each threat event was part o the incident scenario 3. This is our most consolidated view o the
855 data breaches analyzed this year, and there are several things worth noting.
When we observe the overall dataset rom a threat management perspective, only 40 o the 315 possible threat
events have values greater than zero (13%). Beore going urther, we need to restate that not all intersections in
the grid are easible. Readers should also remember that this report ocuses solely on data breaches. During
engagements where we have worked with organizations to VERIS-ize all their security incidents over the course
o a year, its quite interesting to see how dierent these grids look when compared to DBIR datasets. As one mighttheorize, Error and Misuse as well as Availability losses prove much more common.
3 In other words, 381 of the 855 breaches in 2011 involved external malware that affected the confidentiality of a server (the top left threat event).
The results or the overall dataset share many similarities with our last
report. The biggest changes are that hotspots in the Misuse and Physical
areas are a little cooler, while Malware and Hacking against Servers and
User Devices are burning brighter than ever.
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
5/92
5
Now back to the grids, where the results or the overall dataset share many similarities with our last report. The
biggest changes are that hotspots in the Misuse and Physical areas are a little cooler, while Malware and Hacking
against Servers and User Devices are burning brighter than ever. Similarly, the list o top threat events in Table 3 in
the ull report eels eerily amiliar.
Separating the threat events or larger organizations in Figure 2 yields a ew additional talking points. Some might
be surprised that this version o the grid is less covered than Figure 1 (22 o the 315 events 7% were seen at
least once). One would expect that the bigger attack surace and stronger controls associated with larger
organizations would spread attacks over a greater portion o the grid. This may be true, and our results shouldnt be
used to contradict that point. We believe the lower density o Figure 2 compared to Figure 1 is mostly a result o
size dierences in the datasets (855 versus 60 breaches). With respect to threat diversity, its interesting that the
grid or larger organizations shows a comparatively more even distribution across in-scope threat events (i.e., less
extreme clumping around Malware and Hacking). Based on descriptions in the press o prominent attacks leveraging
orms o social engineering and the like, this isnt a shocker.
Malware Hacking Social Misuse Physical Error Environmental
Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt
Servers
Condentiality& Possession
381 518 1 9 8 1 2 1
Integrity &Authenticity
397 422 1 6 1 1
Availability& Utility
2 6 5
Networks
Condentiality& Possession
1
Integrity &Authenticity
1 1
Availability& Utility
1 1 1
UserDevicesCondentiality
& Possession356 419 1 86
Integrity &
Authenticity
355 355 1 1 86
Availability& Utility
1 3
OfineDataCondentiality
& Possession23 1
Integrity &Authenticity
Availability& Utility
People
Condentiality& Possession
30 1
Integrity &Authenticity
59 2
Availability& Utility
Figure 1. VERIS A4 Grid depicting the requency o high-level threat events
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
6/92
6
Naturally, the ull report digs into the threat agents, actions, and assets involved in 2011 breaches in much more
detail. It also provides additional inormation on the data collection methodology or Verizon and the
other contributors.
2012 DBIR: CONCLUSIONS AND RECOMMENDATIONSThis year, were including something new in this section. However, being the environmentally conscious group that
we are, were going to recycle this blurb one more time:
Creating a list o solid recommendations gets progressively more difcult every year we publish this
report. Think about it; our fndings shit and evolve over time but rarely are they completely new orunexpected. Why would it be any dierent or recommendations based on those fndings? Sure, we could
wing it and prattle o a lengthy list o to-dos to meet a quota but we fgure you can get that elsewhere.
Were more interested in having merit than having many.
Then, were going to reduce and reuse some o the material we included back in the 2009 Supplemental DBIR, and
recast it in a slightly dierent way that we hope is helpul. As mentioned, weve also produced something new, but
made sure it had a small carbon (and page space) ootprint. I you combine that with the energy saved by avoiding
investigator travel, shipping evidence, and untold computational cycles, these recommendations really earn their
green badge.
Malware Hacking Social Misuse Physical Error Environmental
Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt
Servers
Condentiality& Possession
7 33 3 2 1
Integrity &Authenticity
10 18 1
Availability& Utility
1
Networks
Condentiality& Possession
Integrity &Authenticity
Availability& Utility
1 1
User
DevicesCondentiality
& Possession3 6 10
Integrity &
Authenticity4 2 10
Availability& Utility
1
OfineDataCondentiality
& Possession1 1
Integrity &Authenticity
Availability& Utility
People
Condentiality& Possession
7
Integrity &Authenticity
11
Availability& Utility
Figure 2. VERIS A4 Grid depicting the requency o high-level threat events LARGER ORGS
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
7/92
7
Lets start with the something new.
Weve come to the realization that many
o the organizations covered in this
report are probably not getting the
message about their security. Were
talking about the smaller organizations
that have one (or a handul) o POS
systems. The cutout below was created
especially or them and we need your
help. We invite you, our reader, to cut it
out, and give it to restaurants, retailers,
hotels, or other establishments that you
requent. In so doing, youre helping to
spread a message that they need to hear. Not to mention, its a message that the rest o us need them to hear too.
These tips may seem simple, but all the evidence at our disposal suggests a huge chunk o the problem or smaller
businesses would be knocked out i they were widely adopted.
POINT-OF-SALE SECURITY TIPSGreetings. You were given this card because someone likes your establishment. They wanted to helpprotect your business as well as their payment and personal inormation.
It may be easy to think thatll never happen to me when it comes to hackers stealing your inormation. Butyou might be surprised to know that most attacks are directed against small companies and most can beprevented with a ew small and relatively easy steps. Below youll fnd a ew tips based on Verizons researchinto thousands o security breaches aecting companies like yours that use point-o-sale (POS) systemsto process customer payments. I none o it makes sense to you, please pass it on to management.
9Change administrative passwords on all POS systems Hackers are scanning the Internet or easily guessable passwords.
9 Implement a frewall or access control list on remote access/administration services I hackers cant reach your system, they cant easily steal rom it.
Ater that, you may also wish to consider these: Avoid using POS systems to browse the web (or anything else on the Internet or that matter) Make sure your POS is a PCI DSS compliant application (ask your vendor)
I a third-party vendor looks ater your POS systems, we recommend asking them to confrm that thesethings have been done. I possible, obtain documentation. Following these simple practices will save a loto wasted money, time, and other troubles or your business and your customers.
For more inormation, visit www.verizon.com/enterprise/databreach(but not rom your POS).
Figure 3. Cost o recommended preventive measures by percent o breaches*
* Verizon caseload only
ALL ORGS LARGER ORGS
3% Dicult
and expensive
3% Unknown
63%Simple and
cheap
31%Intermediate
40%Simple and
cheap55%Intermediate
5% Dicult and expensive
The cutout below was created especially or smaller organizations
and we need your help. We invite you, our reader, to cut it out, and
give it to restaurants, retailers, hotels, or other establishments
that you requent.
http://www.verizon.com/enterprise/databreachhttp://www.verizon.com/enterprise/databreachhttp://www.verizon.com/enterprise/databreach -
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
8/92
8
For those who dont remember (tsk, tsk), the 2009 Supplemental DBIR was an encyclopedia o sorts or the top
threat actions observed back then. Each entry contained a description, associated threat agents, related assets,
commonalities, indicators, mitigators, and a case study. To provide relevant and actionable recommendations to
larger organizations this year, were repurposing the indicators and mitigators part rom that report.
Indicators: Warning signs and controls that can detect or indicate that a threat action is underway or
has occurred.
Mitigators: Controls that can deter or prevent threat actions or aid recovery/response (contain damage)
in the wake o their occurrence.
Our recommendations will be driven o o Table 7 in the ull report, which is in the Threat Action Overview section,
and shows the top ten threat actions against larger organizations. Rather than repeat the whole list here, well
summarize the points we think represent the largest opportunities to reduce our collective exposure to loss:
Keyloggers and the use o stolen credentials
Backdoors and command control
Tampering
Pretexting
Phishing
Brute orce
SQL injection
Hacking: Use o stolen credentials
Description Reers to instances in which an attacker gains access to a protected system or device using
valid but stolen credentials.
Indicators Presence o malware on system; user behavioral analysis indicating anomalies (i.e.,
abnormal source location or logon time); use o last logon banner (can indicateunauthorized access); monitor all administrative/privileged activity.
Mitigators Two-actor authentication; change passwords upon suspicion o thet; time-o-use rules; IP
blacklisting (consider blocking large address blocks/regions i they have no legitimate
business purpose); restrict administrative connections (i.e., only rom specic internal
sources). For preventing stolen credentials, see Keyloggers and Spyware, Pretexting, and
Phishing entries.
Malware: Backdoors, Command and Control
Hacking: Exploitation o backdoor or command and control channel
Description Tools that provide remote access to and/or control o inected systems. Backdoor and
command/control programs bypass normal authentication mechanisms and other securitycontrols enabled on a system and are designed to run covertly.
Indicators Unusual system behavior or perormance (several victims noted watching the cursor
navigating les without anyone touching the mouse); unusual network activity; IDS/IPS (or
non-customized versions); registry monitoring; system process monitoring; routine log
monitoring; presence o other malware on system; AV disabled.
During investigations involving suspected malware we commonly examine active system
processes and create a list o all system contents sorted by creation/modication date.
These eorts oten reveal malicious les in the Windows\system32 and user
temporary directories.
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
9/92
9
Malware: Backdoors, Command and Control
Hacking: Exploitation o backdoor or command and control channel
Mitigators Egress ltering (these tools oten operate via odd ports, protocols, and services); use o
proxies or outbound trac; IP blacklisting (consider blocking large address blocks/regions
i they have no legitimate business purpose); host IDS (HIDS) or integrity monitoring;
restrict user administrative rights; personal rewalls; data loss prevention (DLP) tools;
anti-virus and anti-spyware (although increased customization rendering AV less
eectivewe discovered one backdoor recognized by only one o orty AV vendors we
tried); web browsing policies.
Physical: Tampering
Description Unauthorized altering or interering with the normal state or operation o an asset. Reers to
physical orms o tampering rather than, or instance, altering sotware or system settings.
Indicators An unplanned or unscheduled servicing o the device. Presence o scratches, adhesive
residue, holes or cameras, or an overlay on keypads. Dont expect tampering to be obvious
(overlay skimmers may be custom made to blend in with a specic device while internal
tampering may not be visible rom the outside). Tamper-proo seal may be broken. In some
cases an unknown Bluetooth signal may be present and persist. Keep in mind that ATM/gas
skimmers may only be in place or hours, not days or weeks.
Mitigators Train employees and customers to look or and detect signs o tampering. Organizations
operating such devices should conduct examinations throughout the day (e.g., as part o
shit change). As inspection occurs, keep in mind that i the device takes a card and a PIN,
that both are generally targeted (see indicators).
Set up and train all sta on a procedure or service technicians, be sure it includes a method
to schedule, and authenticate the technician and/or maintenance vendors.
Push vendor or anti-tamper technology/eatures or only purchase POS and PIN devices
with anti-tamper technology (e.g., tamper switches that zero out the memory, epoxy
covered electronics).
Keylogger/Form-grabber/Spyware
Description Malware that is specically designed to collect, monitor, and log the actions o a system user.
Typically used to collect usernames and passwords as part o a larger attack scenario. Also
used to capture payment card inormation on compromised POS devices. Most run covertly to
avoid alerting the user that their actions are being monitored.
Indicators Unusual system behavior or perormance; unusual network activity; IDS/IPS (or non-
customized versions); registry monitoring; system process monitoring; routine log
monitoring; presence o other malware on system; signs o physical tampering (e.g.,
attachment o oreign device). For indicators that harvested credentials are in use, see
Unauthorized access via stolen credentials.
During investigations involving suspected malware we commonly examine active system
processes and create a list o all system contents sorted by creation/modication date.
These eorts oten reveal malicious les in the Windows\system32 and user
temporary directories.
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
10/92
10
Keylogger/Form-grabber/Spyware
Mitigators Restrict user administrative rights; code signing; use o live boot CDs; onetime passwords;
anti-virus and anti-spyware; personal rewalls; web content ltering and blacklisting;egress ltering (these tools oten send data out via odd ports, protocols, and services); host
IDS (HIDS) or integrity monitoring; web browsing policies; security awareness training;
network segmentation.
Pretexting (Social Engineering)
Description A social engineering technique in which the attacker invents a scenario to persuade,
manipulate, or trick the target into perorming an action or divulging inormation. These
attacks exploit bugs in human hardware and, unortunately, there is no patch or this.
Indicators Very dicult to detect as it is designed to exploit human weaknesses and bypasses
technological alerting mechanisms. Unusual communication, requests outside o normal
workfow, and instructions to provide inormation or take actions contrary to policies shouldbe viewed as suspect. Call logs; visitor logs; e-mail logs.
Mitigators General security awareness training; clearly dened policies and procedures; do not train
sta to ignore policies through ocial actions that violate them; train sta to recognize and
report suspected pretexting attempts; veriy suspect requests through trusted methods and
channels; restrict corporate directories (and similar sources o inormation) rom public access.
Brute-orce attack
Description An automated process o iterating through possible username/password combinations until
one is successul.
Indicators Routine log monitoring; numerous ailed login attempts (especially those indicating
widespread sequential guessing); help desk calls or account lockouts.Mitigators Technical means o enorcing password policies (length, complexity, clipping levels); account
lockouts (ater x tries); password throttling (increasing lag ater successive ailed logins);
password cracking tests; access control lists; restrict administrative connections (i.e., only
rom specic internal sources); two-actor authentication; CAPTCHA.
SQL injection
Description SQL Injection is an attack technique used to exploit how web pages communicate with
back-end databases. An attacker can issue commands (in the orm o specially crated SQL
statements) to a database using input elds on a website.
Indicators Routine log monitoring (especially web server and database); IDS/IPS.
Mitigators Secure development practices; input validation (escaping and whitelisting techniques); useo parameterized and/or stored procedures; adhere to principles o least privilege or
database accounts; removal o unnecessary services; system hardening; disable output o
database error messages to the client; application vulnerability scanning; penetration
testing; web application rewall.
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
11/92
11
Unauthorized access via deault credentials
Description Reers to instances in which an attacker gains access to a system or device protected by
standard preset (and thereore widely known) usernames and passwords.Indicators User behavioral analysis (e.g., abnormal logon time or source location); monitor all
administrative/privileged activity (including third parties); use o last logon banner
(can indicate unauthorized access).
Mitigators Change deault credentials (prior to deployment); delete or disable deault account; scan or
known deault passwords (ollowing deployment); password rotation (because it helps
enorce change rom deault); inventory o remote administrative services (especially those
used by third parties). For third parties: contracts (stipulating password requirements);
consider sharing administrative duties; scan or known deault passwords (or assets
supported by third parties).
Phishing (and endless *ishing variations)Description A social engineering technique in which an attacker uses raudulent electronic communication
(usually e-mail) to lure the recipient into divulging inormation. Most appear to come rom a
legitimate entity and contain authentic-looking content. The attack oten incorporates a
raudulent website component as well as the lure.
Indicators Dicult to detect given the quasi-technical nature and ability to exploit human weaknesses.
Unsolicited and unusual communication; instructions to provide inormation or take actions
contrary to policies; requests outside o normal workfow; poor grammar; a alse sense o
urgency; e-mail logs.
Mitigators General security awareness training; clearly dened policies and procedures; do not train
sta to ignore policies through ocial actions that violate them; policies regarding use o
e-mail or administrative unctions (e.g., password change requests, etc.); train sta torecognize and report suspected phishing messages; veriy suspect requests through trusted
methods and channels; congure e-mail clients to render HTML e-mails as text; anti-spam;
e-mail attachment virus checking and ltering.
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
12/92
verizon.com/enterprise 2012 Verizon. All Rights Reserved. MC15244 04/12. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identiying Verizons products and
services are trademarks and service marks or registered trademarks and service marks o Verizon Trademark Services LLC or its afliates in the United States and/or other countries. All
other trademarks and service marks are the property o their respective owners.
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
13/92
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
14/92
2012 Data BREaCH InvEstIgatIons REpoRt
A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police,
Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service,
Police Central e-Crime Unit, and United States Secret Service.
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
15/92
Table o ConTenTs
excutiv summry 2
Mthdgy 5
Ciyig Icidt Uig VeRIs 6
a Wrd smp bi 8
R u t d a y i 9
Dmgrphic 10
2011 DbIR: Thrt evt ovrviw 13
Thrt agt 16
brch siz y Thrt agt 18
extr agt (98% rch, 99+% rcrd) 19Itr agt (4% rch,
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
16/92
2
executIve summary2011 wi mt crtiy g dw yr civi d cutur upriig Citiz rvtd, chgd, d v
vrthrw thir gvrmt i dmi ct tht h ic cid th ar sprig, thugh it trtchdyd ig Th digrutd y wht thy prcivd th wth-mgrig 1% ccupid W
strt g with thr citi d vu cr th g Thr i hrtg thr xmp
Thi urt tht typid 2011 w t, hwvr, ctrid t th phyic wrd Th i wrd w ri
with th chig id, tkig th rm ctivim, prtt, rtiti, d prk Whi th ctiviti
cmpd mr th dt rch (g, DDs ttck),
th tht crprt d pr irmti w
crtiy cr tctic Thi r-imgid d r-ivigrtd
pctr hcktivim r t hut rgizti rud
th wrd My, trud y th hdwy tur it
rigi d prcivity t mrr victim, ud thi trd mr rightig th thr thrt, whthr r r
imgid Duy ccrig r my rgizti d xcutiv w tht trgt cti y th grup
didt w th gic i wh h my d/r vu irmti emi r v crir wh yu
ct prdict thir hvir
It wt prtt d uz, hwvr Mii cyrcrimi ctiud t utmt d trmi thir mthd
du jur high-vum, w-rik ttck git wkr trgt Much rqut, ut rguy mr dmgig,
wr ctiud ttck trgtig trd crt, cid irmti, d thr itctu prprty W
crtiy cutrd my c, vrid tctic, d divr mtiv i th pt yr, d i my wy, th 2012
Dt brch Ivtigti Rprt (DbIR) i rcutig th my ct crprt dt tht
855 s, 174 ll s s.
Thi yr ur DbIR icud mr icidt, drivd rm mr ctriutr, d rprt rdr d mr
divr ggrphic cp Th umr cmprmid rcrd cr th icidt kyrcktd ck up t
174 mii tr rchig -tim w (r high, dpdig yur pit viw) i t yr rprt ur
mii I ct, 2011 t th cd-hight dt tt ic w trtd kpig trck i 2004
oc gi, w r prud t uc tht th Uitd stt scrt srvic (Usss) d th Dutch nti High
Tch Crim Uit (nHTCU) hv jid u r thi yr rprt W
wcm th autri dr Pic (aP), th Irih Rprtig &
Irmti scurity srvic (IRIssCeRT), d th Pic Ctr
-Crim Uit (PCU) th ld Mtrpit Pic t
ii bdd DBIr d
wi d d b d b. W i k
i ii i, d i i i w bi, w i
bii f i.
With th dditi Vriz 2011 cd d dt ctriutd
rm th rgizti itd v, th DbIR ri w p ight yr, w vr 2000 rch, d grtr
th ii cmprmid rcrd It citig d irmtiv jury, d w r grtu tht
my yu hv ch t cm g r th rid a wy, ur g i tht th dt d yi prtd i
thi rprt prv hpu t th pig d curity rt ur rdr W gi with w highight w
Thi r-imgid d r-ivigrtd
pctr hcktivim r t hut
rgizti rud th wrd
It wt prtt d
uz, hwvr Mii
cyrcrimi ctiud t
utmt d trmi thir
mthd du jur high-vum,w-rik ttck git
wkr trgt
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
17/92
3
Who Is BehInD Data Breaches?
98% tmmd rm xtr gt (+6%)
n ig urpri hr; utidr r ti dmitig th c crprt dt tht orgizd crimi wr up t thir
typic midd d wr hid th mjrity rch i2011 activit grup crtd thir ir hr miry dmyhm t yr wd thy t mr dt th ythr grup Thir trc t th tg rvd tchg th dcp mwht with rgrd t thmtivti hid rch Whi gd d-hidgrd d vric wr ti th prim mvr, idgicdit d chdrud tk mr prmit rcr th cd a might xpct with uch ri ixtr ttckr, th prprti iidr icidtdcid yt gi thi yr t cmprtivy ct 4%
4% impictd itr mpy (-13%)
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
18/92
4
Where shoulD mItIgatIon eortsBe ocuseD?
oc gi, thi tudy rmid u tht ur pri h
th cry t t gt th j d Th chg rth gd guy i i ctig th right t r th j thd d th t ttig thm gt du d ruty vr timevidc hw wh tht hpp, th d guy r quickt tk dvtg it
a yu , w ctrt dig r mr d rgrrgizti thrughut thi rprt Yu wi gt rhw vry dirt (d i m c hw vry imir) thirprm td t bcu thi, it mk tht thuti t th prm r dirt w Thu, mt th rcmmdti giv t th d thi rprt rtt rgr rgizti It t tht wr igrig th mrguyit jut tht whi mdr cyrcrim i pgu upthir hu, th tidt i iry imp d mt uivr
lrgr rgizti xhiit mr divr t iu thtmut ddrd thrugh quy divr t crrctiv cti W hp th dig i thi rprt hp tpriritiz th rt, ut truy tirig trtmttrtgy t yur d rquir irmd d itrpctivmt yur uiqu thrt dcp
s iiImpmt rw r aCl rmt cc rvic
Chg dut crdti Pos ytm dthr Itrt-cig dvic
I third prty vdr i hdig th tw itmv, mk ur thyv ctuy d thm
l ii
eimit ucry dt; kp t wht t
eur ti ctr r mt; rgury chcktht thy rmi
Mitr d mi vt g
evut yur thrt dcp t priritiz yurtrtmt trtgy
Rr t th ccui thi rprt r idictrd mitigtr r th mt cmm thrt
g qi b DBIr?Drp u i t dbi@i., d u bk,r pt t twi with th hhtg #dbi
mailto:dbir%40verizon.com?subject=http://www.facebook.com/verizonbusinesshttps://twitter.com/#!/verizonbusinesshttps://twitter.com/#!/verizonbusinesshttp://www.facebook.com/verizonbusinessmailto:dbir%40verizon.com?subject= -
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
19/92
5
methoDologybd th dck w rciv ut thi rprt, th thig rdr vu mt i th v rigr d
hty w mpy wh cctig, yzig, d prtig dt Tht imprtt t u, d w pprcit yurpprciti Puttig thi rprt tgthr i, quit rky, wk i th prk (855 icidt t xmi it xcty
ight d) I dy kw r crd, w might tmptd t hv m
tim d rt y cuttig m crr, ut th ct tht yu d kw d d
cr hp kp u ht ad tht wht thi cti i ut
vi D ci md
Th udryig mthdgy ud y Vriz rmi rtivy uchgd
rm prviu yr a rut r d rt-hd vidc cctd
durig pid xtr ric ivtigti cductd y Vriz rm 2004
t 2011 Th 2011 cd i th primry ytic cu th rprt, ut
th tir rg dt i rrcd xtivy thrughut Thugh thRIsK tm wrk vrity ggmt (vr 250 t yr), y th
ivvig crmd dt cmprmi r rprtd i thi rprt Thr
wr 90 th i 2011 tht wr cmptd withi th timrm thi
rprt T hp ur ri d citt iput, w u th Vriz etrpri Rik d Icidt shrig
(VeRIs) rmwrk t rcrd c dt d thr rvt dti (ur xpti thi t w) VeRIs dt
pit r cctd y yt thrughut th ivtigti icyc d cmptd tr th c c Iput
i th rviwd d vidtd y thr mmr th RIsK tm Durig th ggrgti prc, irmti
rgrdig th idtity rch victim i rmvd rm th rpitry c dt
D ci md ib
Th Usss, nHTCU, aP, IRIssCeRT, d PCU dird i prciy hw thy cctd dt ctriutd r thirprt, ut thy hrd th m ic pprch a vrgd VeRIs th cmm dmitr ut ud vryig
mchim r dt try r itc, gt th Usss ud VeRIs-d itr ppicti t rcrd
prtit c dti r th aP, w itrviwd d gt ch c, rcrdd th rquird dt pit,
d rqutd w-up irmti cry Th prticur mchim dt ccti i imprtt
th udrtdig tht dt i d r icidt d, mt imprtty, r ct ut th icidt
Th rgizti ud ivtigtiv t, rprt prvidd y th victim r thr ric rm, d thir w
xpric gid i hdig th c Th cctd dt w purgd y irmti tht might idtiy
rgizti r idividu ivvd d th prvidd t Vriz RIsK Tm r ggrgti d yi
rm th umru ivtigti wrkd y th rgizti i 2011, i igmt with th cu th DbIR,
th cp w rrwd t y th ivvig crmd rgizti dt rch1 Th cp w urthr
rrwd t icud y c r which Vriz did t cduct th ric ivtigti 2 a i , th
gci ctriutd cmid 765 rch r thi rprt sm my ri yrw t th ct tht Vriz
cd rprt rtivy m prprti th vr dtt dicud i thi rprt, ut w cudt
hppir with thi utcm W rmy iv tht mr irmti crt mr cmpt d ccurt
udrtdig th prm w cctivy c I tht m ur dt tk ckt i Vriz-uthrd
puicti, it; w trd hr vic r hrd dt y dy th wk
1 Organizational data breach refers to incidents involving the compromise (unauthorized access, theft, disclosure, etc.) of non-public information while it was stored, processed, used, or transmitted
by an organization.2 We often work, in one manner or another, with these agencies during an investigatio n. To eliminate redundancy, Verizon-contrib uted data were used when both Verizon and another agency worked the
same case.
Th udryig
mthdgy ud
y Vriz rmi
rtivy uchgd
rm prviu yr a
rut r d rt-
hd vidc cctddurig pid xtr
ric ivtigti
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
20/92
6
Whi wr tht tpic, i yur rgizti ivtigt r hd dt rch d might itrtd i
ctriutig t utur DbIR, t u kw Th DbIR miy ctiu t grw, d w wcm w mmr
A brie primer on VeriS
VeRIs i rmwrk digd t prvid cmm gug r dcriig curity icidt i tructurd d
rpt mr It tk th rrtiv wh did wht t wht (r whm) with wht rut d trt it it
th kid dt yu prtd i thi rprt bcu my rdr kd ut th mthdgy hid th
DbIR d cu w hp t ciitt mr irmti hrig curity icidt, w hv rd VeRIs r
r puic u a ri vrviw VeRIs i vi ur wbi3 d th cmpt rmwrk c tid
rm th verIs i wiki4 bth r gd cmpi rrc t thi rprt r udrtdig
trmigy d ctxt
cii Iid ui verIs
Th Icidt Cicti cti th VeRIs rmwrk trt th icidt rrtiv wh did wht t
wht (r whm) with wht rut it rm mr uit r trdig d yi T ccmpih thi, VeRIsmpy th a4 Thrt Md dvpd y Vriz RIsK tm I th a4 md, curity icidt i viwd
ri vt tht dvry ct th irmti t rgizti evry vt i cmprid th
wig mt (th ur a):
a: Wh cti ctd th t
ai: Wht cti ctd th t
a: Which t wr ctd
aib: Hw th t w ctd
It i ur piti tht th ur a rprt th miimum irmti cry t dquty dcri y icidt
r thrt cri urthrmr, thi tructur prvid ptim rmwrk withi which t mur rqucy,
cit ctr, ik impct, d my thr ccpt rquird r rik mgmtI w ccut th cmiti th a4 md hight-v mt, (thr agt, v acti, v
at, d thr attriut), 3155 ditict thrt vt mrg Th grid i igur 1 grphicy rprt th
d digt Thrt evt numr (hrtr rrcd y Te#)
t ch Te1, r itc, cicid with extr Mwr tht ct
th Cdtiity srvr nt tht t 315 a4 cmiti
r i r itc, mwr d t, ir w kw, ict
ppthugh it d mk r itriguig ci- pt
ti Iid ni i mi
a ttd v, icidt t ivv mutip thrt vt
Idtiyig which r i py, d uig thm t rctruct th chi vt i hw w md icidt tgrt th ttitic i thi rprt by wy xmp, w dcri w impid hypthtic icidt
whr pr phihig ttck i ud t xtrt itiv dt d itctu prprty (IP) rm rgizti
Th fwchrt rprtig th icidt icud ur primry thrt vt d cditi vt6 a ri
dcripti ch vt i giv g with th crrpdig Te# d a4 ctgri rm th mtrix xhiitd rir
3 ://www.ibi.//wi/w_i-iid-i-i-wk__.d
4 ://iwk.wiki../
5 Some will remember that this grid showed 630 intersections as presented in the 2011 DBIR. The differenc e is a result of the number of security attributes depicted . While we still recognize the sixattributes of the Parkerian Hexad, we (with input from others) have decided to use and present them in paired format (e.g., confidentiality and possession losses). Thus, the notions of
confidentiality versus possession are preserved, but data analysis and visualization is simplified (a common request from VERIS users). More discussion around this change can be found on the
Attributes section of the VERIS wiki.6 See the Error section under Threat Actions for an explanation of conditional events.
It i ur piti tht th ur
a rprt th miimum
irmti cry t
dquty dcri y
icidt r thrt cri
http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/https://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdf -
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
21/92
7
oc th ctructi th mi vt chi i cmpt, dditi cicti c dd mr pcicity
rud th mt cmpriig ch vt (i, th prticur typ extr gt r xct sci tctic ud,
tc) Th icidt i w VeRIs-izd d uu mtric r vi r rprtig d urthr yi
o t r w ccud thi u-cti Th prc dcrid v h vu yd jut dcriig
th icidt it; it hp idtiy wht might hv d (r t d) t prvt it Th g i
trightrwrd: rk th chi vt d yu tp th icidt rm prcdig r itc, curity
wr triig d -mi trig cud hp kp e1 rm ccurrig I t, ti-viru d t-privig
impmtti th ptp might prvt e2 stppig prgri tw e2 d e3 my ccmpihd
thrugh gr trig r tfw yi t dtct d prvt ckdr cc Triig d chg ctr
prcdur cud hp vid th dmiitrtr micgurti dcrid i th cditi vt d prcud
th cmprmi itctu prprty i e4 Th r jut w xmp ptti ctr r ch vt,
ut th iity t viuiz yrd pprch t dtrrig, prvtig, d dtctig th icidt hud pprt
mw hki si mi pi e ei
ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt
sv
Cdtiity& Pi
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
Itgrity &authticity
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
aviiity& Utiity
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
ntwk
Cdtiity& Pi
64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
Itgrity &authticity
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
aviiity& Utiity
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
u
DvicCdtiity
& Pi127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
Itgrity &
authticity148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168
aviiity& Utiity
169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189
ofiDataCdtiity
& Pi190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210
Itgrity &authticity
211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231
aviiity& Utiity
232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252
p
Cdtiity& Pi
253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273
Itgrity &authticity
274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294
aviiity& Utiity
295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315
i 1. verIs a4 gid dii 315 i-
Th prc dcrid v h vu yd jut dcriig th
icidt it; it hp idtiy wht might hv d (r
t d) t prvt it Th g i trightrwrd: rk th chi
vt d yu tp th icidt rm prcdig
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
22/92
8
a Wd s Bi
aw u t ritrt: w mk cim tht th dig thi rprt r rprttiv dt rch i
rgizti t tim ev thugh th mrgd dtt (prumy) mr cy rfct rity th thy
might i iti, it i ti mp athugh w iv my th dig prtd i thi rprt t
pprprit r grizti (d ur cdc i thi grw w gthr mr dt d cmpr it t tht
thr), i udutdy xit Urtuty, w ct mur xcty hw much i xit (i, i rdr t
giv prci mrgi rrr) W hv wy kwig wht prprti dt rch r rprtd
cu w hv wy kwig th tt umr dt rch cr rgizti i 2011 My
rch g urprtd (thugh ur mp d cti my th) My mr r yt ukw y th
victim (d thry ukw t u) Wht w d kw i tht ur kwdg grw g with wht w r t
tudy d tht grw mr th vr i 2011 at th d th dy, w rrchr c d i p ur dig
t yu t vut d u yu t
extr gt d phihig -mi thtuccuy ur
xcutiv t pth ttchmt
Mwr ict thxc ptp, crtig
ckdr
extr gt ccth xc ptp vi
th ckdr, viwig-mi d thritiv dt
sytm dmiitrtrmicgur ccctr wh uidig
w rvr
extr gt cc mppd rvr
rm th xc ptpd t itctu
prprty
te#280extr
sciPpItgrity
te#148extr
MwrUr DvicItgrity
te#130extr
HckigUr DvicCdtiity
te# 38Itr
errrsrvrItgrity
te#4extr
HckigsrvrCdtiity
i 2. s verIs iid i
e1 e2 e3 e4ce1
g qi b DBIr?Drp u i t dbi@i., d u bk,r pt t twi with th hhtg #dbi
mailto:dbir%40verizon.com?subject=http://www.facebook.com/verizonbusinesshttps://twitter.com/#!/verizonbusinesshttps://twitter.com/#!/verizonbusinesshttp://www.facebook.com/verizonbusinessmailto:dbir%40verizon.com?subject= -
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
23/92
9
results anD analysIsTh 2011 cmid dtt rprt th rgt w hv vr
cvrd i y ig yr, pig 855 icidt d vr 174 miicmprmid rcrd (th cd-hight tt, i yur kpig
trck) Th xt w prgrph hud hp mk m it
I vr pc thrughut th txt, w prt d dicu th
tir rg dt rm 2004 t 2011 a yu tudy th dig,
kp i mid tht th mp dtt i ythig ut ttic Th
umr, tur, d urc c chg drmticy vr tim
Giv thi, yu might urprid t hw t my th trd
ppr ( ct tht w thik trgth thir vidity) o th thr
hd, crti trd r mt crtiy mr rtd t turmi i th
mp th igict chg i th xtr thrt virmt a
i prviu rprt, th ch pprch i t prt th cmid
dtt itct d highight itrtig dirc (r imiriti)
withi th txt whr pprprit Thr r, hwvr, crti dt
pit tht wr y cctd r Vriz c; th r idtid
i th txt d gur
Th gur i thi rprt utiiz citt rmt Valus sw
a a a as whi valus a aa
s. Th rch i th icidt udr ivtigti i c d
rcrd rr t th mut dt uit (, crd umr, tc)
cmprmid i th rch I m gur, w d t prvid
pcic umr rcrd, ut u rd # t dt high prprti dt I th vu rprt utti chg
rm prir yr, thi i mrkd with rg + r ym
(dtig icr r dcr) My gur d t i thi rprt dd up t vr 100%; thi i t rrr
It impy tm rm th ct tht itm prtd i it r t wy mutuy xcuiv, d, thu, vr c
ppy t y giv icidt
bcu th umr rch i thi rprt i high, th u prctg i it dcivig i m pc
(5 prct my t m ik much, ut it rprt vr 40 icidt) Whr pprprit, w hw th rw umr
rch itd r i dditi t th prctg a hdy prct-t-umr cvri t i hw i T 1
nt gur d t cti pi pti ut y th hvig vu grtr th zr (d m truct
mr th tht) T pti r y prticur gur, rr t th VeRIs rmwrk
sm ctructiv criticim w rcivd ut th 2011 rprt uggtd th dtt w ri with m
rch victim tht it didt ppy trgy t rgr rgizti it hd i yr pt (Th rvc yu
iv th pp?)
Wr kiddig, cur; thi critiqu i th udrtd d hpu o th prm with kig t rg
mut dt r divr rg rgizti i tht vrg cr th wh r jut average. bcu th
umr pk or rgizti, thy dt ry pk to y prticur rgizti r dmgrphic Thi i
uvid Wv md th cciu dcii t tudy typ dt rch thy ct typ
rgizti, d i m ui r drppig ik fi, wr t gig t xcud thm cu thy it ur dt
Wht w c d, hwvr, i t prt th rut i uch wy tht thy r mr rdiy ppic t crti grup
855 Breaches
% #1% 9
5% 43
10% 86
25% 214
33% 282
50% 428
tb 1. K i b 2012 DBIr d
Valus sw a a a
as whi valus a aa s. Th rch i th
icidt udr ivtigti i c
d rcrd rr t th mut
dt uit (, crd umr, tc)
cmprmid i th rch I m
gur, w d t prvid pcic
umr rcrd, ut u rd #
t dt high prprti dt
I th vu
rprt utti chg rm
prir yr, thi i mrkd with
rg + r ym (dtig
icr r dcr)
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
24/92
10
W cud pit th dtt myrid wy, ut wv ch (prtiy du t th iiti criticim mtid v)
t highight dirc (d imiriti) tw mr d rgr rgizti (th ttr hvig t t 1000
mpy) W hp thi vit th ccr d mk th dig i thi rprt th gry irmtiv
d prticury uu
ohd thugh w dt xcty cd chdrud, w d hp yu d it jy
Di
evry yr w gi with th dmgrphic rm th prviu yr rch victim cu it t th ctxt r th rt
th irmti prtd i th rprt etihig hw th rch rk dw cr idutri, cmpy iz,d ggrphic cti hud hp yu put m prpctiv rud th juicy it prtd i th wig cti
Thi yr w trd hw w cct m th dmgrphic dt W dcidd t tp uig ur w it
idutri d dpt th nrth amric Idutry Cicti sytm (which i cr-rrcd t thr
cmm cicti) a rut, m th trdig d cmpri rm th idutry rkdw i
prviu yr m citcy, ut r th mt prt th cicti mp cy ugh tht
cmpri r t withut vu
a igur 3 hw, th tp thr pt crry vr rm ur t rprt Th mt-fictd idutry, c gi, i
accmmdti d d srvic, citig rturt
(rud 95%) d ht (ut 5%) Th ici d Iurc
idutry drppd rm 22% i 2010 t pprximty 10% t yrWhi w drivd rg pui (d t--pui)
xpti r th widig gp tw ici d d
srvic, w wi rrv mt th r mr ppic cti
i th rprt suc it t y tht it ppr th cyrcrim
idutriizti trd tht hviy ifucd dig i ur t
rprt (d h chd y thr rprt i th idutry7), i ti
i u wig
Wh kig t th rkdw rcrd t pr idutry i igur
4, hwvr, w d vry dirt rut Th chrt i vrwhmd
y tw idutri tht ry mk hwig i
igur 3 d hv t prviuy ctriutd t rg hr dtIrmti d Mucturig W tuch mr thi
thrughut th rprt, ut thi urpriig hit i miy th rut
w vry rg rch tht hit rgizti i th idutri i
2011 W upct th ttck ctig th rgizti wr
dirctd git thir rd d r thir dt rthr th twrd
thir idutry
7 For instance, see Trustwaves 2012 Global Security Report discussing growing attacks against franchises.
W cud pit th dtt myrid wy, ut wv ch
(prtiy du t th iiti criticim mtid v) t highight
dirc (d imiriti) tw mr d rgr
rgizti (th ttr hvig t t 1000 mpy)
Th nrth amric Idutry
Cicti sytm (naICs) i th
tdrd ud y dr ttitic
gci i ciyig ui
tihmt r th purp
cctig, yzig, d puihig
ttitic dt rtd t th Us
ui cmy
naICs w dvpd udr th upic
th oc Mgmt d budgt
(oMb), d dptd i 1997 t rpc th
stdrd Idutri Cicti (sIC)
ytm It w dvpd jity y th Us
ecmic Cicti Picy Cmmitt
(eCPC), sttitic Cd , d MxicItitut nci d etditic y
Ggr , t w r high v
cmpriity i ui ttitic mg
th nrth amric cutri
surc:
://www..//www/i/
http://www.census.gov/eos/www/naics/http://www.census.gov/eos/www/naics/ -
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
25/92
11
Rdrwig igur 5 with th utir rmvd rv wht i prhp mr rprttiv r typic ccut
cmprmid rcrd cr idutri igur 4 i it mr i i with hitric dt d r m
rmc t igur 3 v
oc gi, rgizti iz ricudd mg th 855 icidt i ur
dtt smr rgizti rprt th
mjrity th victim, thy did i th t
DbIR lik m th idutry pttr, thi
rt t th rd idutriizd ttck
mtid v; thy c crrid ut
git rg umr i urpriigy hrt
timrm with itt t ritc (rm
th victim, tht i; w rcmt i wtchig
d ritig s th Dicvry Mthd
cti w appdix b) smrui r th id trgt r uch rid,
d my-driv, rik-vr cyrcrimi
udrtd thi vry w Thu, th umr
victim i thi ctgry ctiu t w
Th rthr rg umr rch tid t
rgizti ukw iz rquir
quick cricti Whi w k DbIR
ctriutr r dmgrphic dt, mtim thi irmti i t kw r t ryd t u Thr r vid
ituti whr c kw dti ut ttck mthd d thr
chrctritic, ut itt ut victim dmgrphic Thi it id, ut
it hpp Rthr th ruhig th id u dt, wr uig
wht c vidtd d impy ig wht ct ukw (s
T 2)
a mtid i th Mthdgy cti, w wi rkig ut dig
whr pprprit r rgr rgizti B w i
i wi 1000 . Rmmr tht yu
rd thi rprt s tht yu hv ttr id th mkup thi
ut, igur 6 hw th idutri th 60 rgizti mtig
thi critri
i 4. cidd b id
a othr
Mucturig
Irmti52%+
45%+
3%
i 5: cid db id wi b>1m d d
othr
Rti Trd
Irmti
admiitrtiv dsupprt srvic
accmmdtid d srvic
ic dIurc
40%
28%
10%
9%
7%
6%
i 3. Id d b b
6%othr
Rti Trd 20%
ic d Iurc 10%
accmmdti d d srvic 54%
Hth Cr d sci aitc 7%+
Irmti 3%
tb 2. oii i b b b (b )
1 t 10 42
11 t 100 570
101 t 1,000 48
1,001 t 10,000 27
10,001 t 100,000 23
ovr 100,000 10
Ukw 135
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
26/92
12
a uu, it hrd t pu mig rm whr victim thir prti, ic mt rch d t rquir th
ttckr t phyicy prt i rdr t cim thir priz W t high mrk i 2010 with 22 cutri
rprtd, ut mhd tht rcrd i 2011 with whppig 36 cutri htig rgizti tht victim
t dt cmprmi Thi i r whr th ctriuti ur g w rcmt prtr ry
highight th ct tht dt rch r t itd rgi prm
i 6. Id d b b larger orgs
5%
othr
Irmti 22%
Rti Trd 12%
ic d Iurc 28%
Mucturig 8%
Puic admiitrti 7%
18%
Trprtti d Wrhuig
i 7. ci d i bid d
autri
autribhmbgiumbrzibugriCdDmrk
rc
GrmyGhGrcIdiIrdIrJp
Jrd
KuwitlluxmurgMxicnthrdnw ZdPhiippi
Pd
RmiRui drtisuth aricspiTiwThidTurky
Uitd ar emirt
UkriUitd KigdmUitd stt
ci i wi b w fd
W t high mrk i 2010 with 22 cutri rprtd, ut
mhd tht rcrd i 2011 with whppig 36 cutri htig
rgizti tht victim t dt cmprmi
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
27/92
13
2011 DBIr: t e oiw
I t yr DbIR, w prtd th VeRIs thrt vt grid pputd with rqucy cut r th rt tim
othr th w dt hrig prtr, it w th mt w rcivd tur th rprt Th ttitic
thrughut thi rprt prvid prt yi th agt, acti, at, d attriut rvd, ut th
grid prtd hr ti it tgthr t hw itrcti tw th ur a It giv ig ig-pictur viw
th thrt vt citd with dt rch i 2011 igur 8 (vr dtt) d igur 9 (rgr rg) u
th tructur igur 1 rm th Mthdgy cti, ut rpc Te# with th tt umr rch i
which ch thrt vt w prt th icidt cri8 Thi i ur mt cidtd viw th 855 dt
rch yzd thi yr, d thr r vr thig wrth tig
Wh w rv th vr dtt rm thrt mgmt prpctiv, y 40 th 315 pi thrt
vt hv vu grtr th zr (13%) br gig urthr, w d t rtt tht t itrcti i
th grid r i Rdr hud rmmr tht thi rprt cu y dt rch Durig
ggmt whr w hv wrkd with rgizti t VeRIs-iz thir curity icidt vr th cur
yr, it quit itrtig t hw dirt th grid k wh cmprd t DbIR dtt a might
thriz, errr d Miu w aviiity prv much mr cmm
8 In other words, 381 of the 855 breaches in 2011 involved external malware that affected the confidentiality of a server (the top left threat event).
mw hki si mi pi e ei
ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt
sv
Cdtiity& Pi
381 518 1 9 8 1 2 1
Itgrity &authticity
397 422 1 6 1 1
aviiity& Utiity
2 6 5
ntwk
Cdtiity& Pi
1
Itgrity &authticity
1 1
aviiity& Utiity
1 1 1
uDvicCdtiity
& Pi356 419 1 86
Itgrity &authticity
355 355 1 1 86
aviiity& Utiity
1 3
ofiDataCdtiity
& Pi23 1
Itgrity &authticity
aviiity& Utiity
p
Cdtiity& Pi
30 1
Itgrity &authticity
59 2
aviiity& Utiity
i 8. verIs a4 gid dii q i-
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
28/92
14
mw hki si mi pi e ei
ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt
sv
Cdtiity& Pi
7 33 3 2 1
Itgrity &authticity
10 18 1
aviiity& Utiity
1
ntwk
Cdtiity& Pi
Itgrity &authticity
aviiity& Utiity
1 1
u
DvicCdtiity
& Pi3 6 10
Itgrity &
authticity4 2 10
aviiity& Utiity
1
ofiDataCdtiity
& Pi1 1
Itgrity &authticity
aviiity& Utiity
p
Cdtiity& Pi
7
Itgrity &authticity
11
aviiity& Utiity
i 9. verIs a4 gid dii q i- larger orgs
USing VeriS or eVidence-bASed riSk mAnAgement
Thi my ud ik dvrtimt, ut it tyu
c d thi uig VeRIs (which i r!) Imgi, rik
mgr, hvig cc t curity icidt withi
yur rgizti cid uig VeRIs (i yu ry
wt t t yur imgiti ru wid, thik ut
hvig imir dt rm thr rgizti ik yur
w) ovr tim, hitric dtt i crtd, givig
yu dtid irmti wht hppd, hw t
it hppd, d wht ht hppd withi yur
rgizti Ukw d ucrtiti gi trcd Yu giv it t yur dt viuizti guy wh
crk ut grid r yur vriu ui grup
imir t igur 9 Htpt th grid cu yur
ttti critic prm r d hp t prpry
dig udryig imt rm thr, trtmt
trtgi t dtr, prvt, dtct, r hp rcvr rm
rcurrig (r dmgig) thrt vt c idtid
d priritizd but yu dt tp thr; yu ctuy
mur th ctiv yur prcripti t
trck whthr icidt d dcr tr th
trtmt r dmiitrd Thu, yu chiv tt
whr ttr murmt ttr mgmt
Cgu trt rrrig t yu th Rik Dctr
d uddy yur pii mttr i curity pdig
dicui Thi cud yu
oviuy, thi i mt t tgu i chk, ut w
truy d iv i th mrit pprch ik thi Wik t rr t thi pprch evidc-bd Rik
Mgmt (ebRM), rrwig rm th ccpt
vidc-d mdici etiy, ebRM im t
ppy th t vi vidc gid rm mpiric
rrch t mur d mg irmti rik
scurity icidt, whthr rg r m, r hug
prt tht t vi vidc Thi i why w
rt tht mticuuy yzig thm i highy
ci prctic
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
29/92
15
nw ck t th grid, whr th rut r th vr dtt hr my imiriti with ur t rprt Th
iggt chg r tht htpt i th Miu d Phyic r r itt cr, whi Mwr d Hckig
git srvr d Ur Dvic r urig rightr th vr simiry, th it tp thrt vt i T 3
riy miir
sprtig th thrt vt r rgr
rgizti i igur 9 yid w
dditi tkig pit sm might
urprid tht thi vri th grid i cvrd th igur 8 (22 th 315
vt7%wr t t c) o
wud xpct tht th iggr ttck urc
d trgr ctr citd with rgr
rgizti wud prd ttck vr
grtr prti th grid Thi my tru,
d ur rut hudt ud t ctrdict
tht pit W iv th wr dity
igur 9 cmprd t igur 8 i mty
rut iz dirc i th dtt (855
vru 60 rch) With rpct t thrtdivrity, it itrtig tht th grid r
rgr rgizti hw cmprtivy
mr v ditriuti cr i-cp thrt
vt (i, xtrm cumpig rud
Mwr d Hckig) Rtd t thi, sci
d Phyic vt mk th tp 10 it i
T 4 bd dcripti i th pr
prmit ttck vrgig rm ci
girig, thi it hckr
ntury, w xpud thi
thrughut th wig cti
t ete #
c
1 extrHckigsrvrCdtiity 4 33
2 extrHckigsrvrItgrity 28 18
3 extrsciPpItgrity 280 11
4 extrMwrsrvrItgrity 22 10
5 extrPhyicUrDvicCdtiity 139 10
6 extrPhyicUrDvicItgrity 160 107 extrMwrsrvrCdtiity 1 7
8 extrsciPpCdtiity 259 7
9 extrHckigUrDvicCdtiity 130 6
10 extrMwrUrDvicItgrity 148 4
tb 4. t 10 verIs larger orgs
t et
e #c
1 extrHckigsrvrCdtiity 4 518
2 extrHckigsrvrItgrity 28 422
3 extrHckigUrDvicCdtiity 130 419
4 extrMwrsrvrItgrity 22 397
5 extrMwrsrvrCdtiity 1 381
6 extrMwrUrDvicCdtiity 127 356
7 extrMwrUrDvicItgrity 148 355
8 extrHckigUrDvicItgrity 151 355
9 extrPhyicUrDvicCdtiity 139 86
10 extrPhyicUrDvicItgrity 160 86
tb 3. t 10 verIs
Th rut r th vr dtt hr my imiriti with ur t
rprt Th iggt chg r tht htpt i th Miu d Phyic
r r itt cr, whi Mwr d Hckig git srvr d
Ur Dvic r urig rightr th vr
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
30/92
16
t a
etiti tht cu r ctriut t icidt r kw thrt
gt Thr c, cur, mr th gt ivvd i y
prticur icidt acti prrmd y thm c miciu r -
miciu, itti r uitti, cu r ctriutry, d tm
rm vrity mtiv ( which wi dicud i uqut
gt-pcic cti) Idticti th gt citd with
icidt i critic t tkig pcic crrctiv cti w irmig
dcii rgrdig utur div trtgi VeRIs pci thr
primry ctgri thrt gtextr, Itr, d Prtr
e: extr thrt rigit rm urc utid th
rgizti d it twrk prtr exmp icud rmr
mpy, hckr, rgizd crimi grup, d
gvrmt titi extr gt icud virmtvt uch fd, rthquk, d pwr dirupti
Typicy, trut r privig i impid r xtr titi
I: Itr thrt r th rigitig rm withi th rgizti Thi cmp cmpy
xcutiv, mpy, idpdt ctrctr, itr, tc, w itr irtructur Iidr r
trutd d privigd (m mr th thr)
p: Prtr icud y third prty hrig ui rtihip with th rgizti Thi
icud uppir, vdr, htig prvidr, uturcd IT upprt, tc sm v trut d privig
i uuy impid tw ui prtr
igur 10 dipy th ditriuti thrt gt y prctg rch i thi yr dtt, g with
prviu yr thi tudy It imprtt t kp i mid tht wr t kig t citt mp Th rt
w yr wr d y Vriz c, th th Usss (2007-2011), nHTCU (2006-2011), aP (2011),
IRIssCeRT (2011), d PCU (2011) jid t vriu pit i th yr tht wd Thu, trd r th
cmiti chg i th thrt virmt d chg withi th mp dtt
70%
78%
39%
6%
72%
48%
6%
86%
98%
12% 2% 4%
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
31/92
17
2011 ctiud th hit twrd xtr gt ivvmt i high prctg dt rch Thugh w
hv wy xtr mjrity, vr r h y yr -idd 2009 w th ct t
xcpti t tht ru, ut th ri i itr gt w mty th y-prduct icrprtig th iidr-hvy
Usss cd ( th 2010 DBIr9 r mr dti) sic th, it primriy utidr i th cd
wv xmid
aprt rm yry mp vriti, thr r vr ctr ctriutig t
th ctig prctg xtr gt v iidr d prtr i thi
rprt Th primry ctr, which w ddrd t gth i th2011 DBIr10, i
th ctiud ct idutriizd ttck th rti orgizd
crimi grup trgtig pymt crd irmti rm Itrt-cig Pos
ytm r phyicy-xpd aTM d g pump c uch tig git
hudrd victim durig th m prti rm prctg tdpit,
th rutig ct tht th cmmditizd yt highy-c ttck hv
thrt gt trd mk prct Iidr, y diti, hv mr umr ptti trgt
athr ctriutr t th ctiud ri xtr gt i 2011 w th
rivigrtd cduct ctivit grup Cmmy kw hcktivim,
th ttck r ihrty xtr i tur Thy r t ry rqut ( might v y ctt)
mii cyrcrim, ut wi w, thy c quit dmgig
W wud rmi i w did t pit ut tht i 2011, thr wr vr ivtigti ivvig itr gt
tht did t mt th diti dt rch Wh iidr miu cc r irmti prvidd r thir j
duti, ut did t dic irmti t uuthrizd prty, th cdtiity h ccurrd11
such icidt r t icudd i thi rprt
athr itrtig rvti ut 2011 i th much wr prctg muti-gt rch bck i 2009,vr -qurtr icidt w th wrk mr th ctgry thrt gt such icidt mtim
ivv vrt cui, ut mr t utidr icit iidr t prticipt i m pct th crim I 2011,
tht gur w jut 2% Th dci hr c ttriutd t th idutriizti trd dicud v
Prtr thrt gt hv rizd tdy dcr vr th t w yr, d thi dtt i xcpti 12
With th 1% rch cud y prtr, it wi hrd t g ywhr ut up i th xt rprt simir
t iidr, th drmtic icr i xtr gt hp t xpi thi dci, ut thr r thr ctr
w ntic tht th dwwrd trd g i 2008, which prcd th mjr hit twrd highy-c
ttck y utidr W hv giv vr hypth i pt rprt, icudig icrd wr, rguti,
d tchgy dvcmt Mr igict i hw w d cu d ctriutry gt Prtr tht did
t hv cu r i th icidt r t icudd i th prctg Mr dicui uch cri c
ud i th Prtr d errr cti thi rprt
It i tiry pi tht miciu iidr d/r prtr r fyig udr th rdr d thu vidig
dicvry W hv mtd i prviu rprt (d wi mt i tr cti) tht high prctg rch
r idtid y rud dtcti Hwvr, cmprmi -ci dt d t hv th mchim t
triggr wr, d r thrr mr dicut t dicvr our dt citty hw tht trutd prti r
9 ://www.ibi.///_2010-d-b-__.d
10 ://www.ibi.//2011dbi//
11 A frequent example of this is a bank employee who uses system privilege s to make an unauthorized withdrawal or transfer of funds. This is certainly a security vio lation, but it is not a data breach.12 Some may rightly remember that the percentage tied to partners was substanti ally higher in prior reports. Keep in mind that those reports showed Verizon data separately, whereas this is the
combined data from all participating organizations retrofitted to historical data. It definitely changes the results.
2011 ctiud th
hit twrd xtr
gt ivvmt i
high prctg
dt rch Thugh
w hv wy
xtr mjrity,vr r h y
yr -idd
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf -
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
32/92
18
cidry mr iky t t itctu prprty
d thr itiv (-ci) dt, d thr
gd chc th ctiviti wud vr dtctd
Thi i t icudd t pgiz r i r t prd
UD, ut t ri vid pit tht iidr d prtr
r pry udr-rprtd i igur 10 (thugh, i
th grd chm thig, w ti dt thik thyr
ywhr c t utidr)
I kpig with ur prmi t giv dig pcic t
rgr rgizti, w prt igur 12 Th hpig t
igicty dirt rut hr r ud r dippitmt
(Dt yu ht it wh dt gt i th wy gd thry?)
W hd icrdiy iightu d rti xpti rdy t
xpi why iidr d prtr wr mr iky t ttckrgr rgizti, ut , it g t wt
Breach Size by Threat Agents
Dt cmprmi, murd y umr rcrd t, i
t idictiv th u impct th rch, ut i uu
d mur idictr it W gr tht it wud
ptim t icud mr irmti citd with
rp, rd dmg, ui dirupti, g pti,
tc a m tp i thi dircti, w hv ddd hrt
cti t thi rprt dicuig m th cquc
Hr, w cu xcuivy th mut dt igur 13 hw th ditriuti mg thrt gt th pprximty 174 mii rcrd cmprmid
cr th mrgd 2011 dtt n, w didt rgt
t icud u r iidr d prtr; it jut
tht utidr t virtuy it Wh cmprd
t th tir dtt cmpig yr thi
tudy (igur 14), th ct it much dirt (ut
w c t t cr thr th grih-u)
Mg-rch, ivvig mii rcrd i ig
icidt, hv citty kwd dt umr
twrd xtr gt Th high-vum, w-yid
ttck mut up i thir vr vr tim
It imprtt t rcgiz th vriu typ dt
cmprmid d thir ifuc thi mtric
Pymt crd dt d pr irmti r
rquty trd d t i uk, whr
itctu prprty r cid dt tht t
ivv y ig rcrd a mtid prviuy,
iidr r mr iky t trgt th ttr
i 12. t b b
larger orgs
extr Itr Prtr Ukw
87%
5% 5%3%
i 13. cid d b , 2011
extr y Itr y Mutipgt
Prtr y
153,002 403173,874,419 55,493
i 14. cid d b , 2004-2011
extr y Itr y Mutipgt
Prtr y
978,433,619 28,925,291 43,897,579 46,476,153
i 11. t (i) b b
95%+ 2%
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
33/92
19
External Agents (98% o breaches, 99+% o records)
a with ur prviu DbIR, thi vri ctiu t rirc th dig tht xtr prti r rpi
r r mr dt rch th iidr d prtr Thi g-rud,
thy wr tid t 98% icidt at quick gc, much ut th
r, vriti, d mtiv xtr gt i 2011 ppr t jut
ctiuti th m try
outidr mt wy ggd i dirct, itti, d miciu
cti oy ct 2% c turd xtr gt i idirct
r, whr thy icitd r idd m t ct git th
victim orgizd crimi grup wr c gi hid th i hr
(83%) rch o my wdr why it i thy d wht thy d (w
ury d, d tht why w trtd trckig mr ut mtiv t yr), th wr i prtty trightrwrd
thy d it r th my (96%) bttm i: mt dt thiv r pri crimi dirty tryig t
t irmti thy c tur it ch lik w idm try
It t th wh try, hwvr nr i it th mt imprtt Th mt igict chg w w i 2011 w
th ri hcktivim git rgr rgizti wrdwid Th rqucy d rgurity c tid t
ctivit grup tht cm thrugh ur dr i 2011 xcdd th umr wrkd i prviu yr cmid
but thi w t rtrictd t ur cd ; th thr rgizti
prticiptig i thi rprt pt grt d rt rpdig t,
ivtigtig, d prcutig hcktivit xpit It w xtrmy
itrtig t pic th dirt prpctiv tgthr t rm g
viw ivtigti it ctivit grup d thir victim 3%
xtr ttck my t m ik much (thugh rmmr wr dig
with vr 850 icidt hr, d tic rtd mtiv r highr th
tht; pu w upct m ukw gt r ctuy ctivit), ut
thi trd i pry th iggt d ig mt imprtt chg ctr
i thi yr DbIR
ici r pr gi
Digrmt r prtt
u, curiity, r prid
Grudg r pr
96%
71%
3%
25%
2%
23%
1%
2%
a org lrgr org
i 15. mi b b wii
bttm i: mt dtthiv r pri
crimi dirty tryig
t t irmti thy
c tur it ch lik w
idm try
It t th wh try,
hwvr nr i it th mtimprtt Th mt
igict chg w w
i 2011 w th ri
hcktivim git rgr
rgizti wrdwid
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
34/92
20
Tht i t t y tht hcktivm i w; th trm h tdrd xic ic it w cid y th Cut th
Dd Cw hckr cctiv i th t 9013 bck th, it mty citd wit dcmt, crditd
di rvic ttck, d thr tic t xpr digrmt, ti rggig right, r jut cu Th
mjr hit tht ccurrd i 2011 w tht ctivit grup ddd dt rch t thir rprtir with much-
hightd itity d puicity I thr wrd, 2011 w mrgr tw th cic midd d w
oh by the way, were gonna steal all your data too twit
but v tht t th wh try athugh
ctivit grup ccutd r rtivy
m prprti th 2011 cd, thy
t vr 100 mii rcrd Tht mt
twic th mut pichd y th
ciy-mtivtd pri w
dicud rir s, thugh idgic
ttck wr rqut, thy ur tk hvy t
Why th diprity tw th tt rcrd
t y pri cyrcrimi vru
ctivit grup? lkig thrugh th c dt, it i pprt tht my-driv crk ctiu t cu mr
pprtuitic ttck git wkr trgt Thi my t t prty cu gd umr thir rthr
r jyig ji tim Itd mjr (d riky) hit, thy pir mr hu dt rm mutitud
mr rgizti tht prt wr rik t th ttckr Thik it wy t trmi ui prc
id y wy t pry th uupctig, th wk, d th m, d th impy rpt rg c Thi
high-vum, w-yid ui md h cm th tdrd Mo r rgizd crimi grup
a imprtt rvti r w c thi dicui i tht ry dt t y ctivit grup wr
tk rm rgr rgizti urthrmr, th prprti rch tid t hcktivim-rtd mtiv ri
t 25 prct Thi td t r, ic w-pr rd i iky t drw th ir th grup
Jut ik th curity pri with whm thy ctd, crimi r ctty ig rikth rik
pprhi o th grtt chg r w rcmt i th ght git cyrcrim i mrgig
crimi r wrd idtity with thir i idtity Urtuty, cr 10% th 2011 cd,
ivtigtr wr u t idtiy pcic vrity xtr gt Thr r vr vid r r thi
irt d rmt, my cit d t miti ucit g dt tht wud ttriuti I my c,
th dtrmiti ct md thrugh dik ric My victim (r vriu r) d t wih t
xpd th ivtigti t icud thi i iquiry c th rch h uccuy ctid smtim
th prptrtr i t r hi trck r hid thm mg ht itrmdiry ytm evry w d th,
jut w thik wv crrcty idtid th itp! Chuck Tt (just look it upits worth the break).
oii e a
a i wy th c, dtrmiig th ggrphic rigi xtr ttckr d y IP ddr c
prmtic ev i th cutry th urc IP ddr c pipitd, thi my t whr th ttckr
ctuy rid It quit iky tht it jut ht i tt r thr hp ud y th gt I m c,
vriu typ dditi dt, uch th prvidd y w rcmt d/r tfw yi, c hp t
13 http://www.wired.com/techbiz/it/news/2004/07/64193
a o l o
orgizd crimi grup 83% 35% 33% 36%
Ukw 10% 1% 31% 0%
Uitd pr() 4% 0% 10% 0%
activit grup 2% 58%+ 21% 61%
rmr mpy (no longer had access) 1% 0% 6% 0%
Rtiv r cquitc mpy 0% 0% 2% 0%
tb 5. vii b bwii e d d
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
35/92
21
dtrmi th ttckr tru rigi
eithr wy, xmiig th ggrphic
rigi ttck i vu r umr
r
2011 dig k imir t prviu
yr, with thrt gt hiig rm
etr eurp ccutig r tw-
third xtr rch (
igur 16) Hwvr, i xmiig y
rg rgizti, thi umr drp t
27% Thi ttitic i i with th
icrig tdcy rgizd
crimi grup (tht t hi rm
etr eurp) t trgt mr,wt-hgig-ruit victim attck
git rgr rgizti rigitd
rm cmprtivy mr divr t
rgi rud th wrd
Internal Agents (4% o breaches,
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
36/92
22
kim cutmr pymt crd hdhd dvic digd t
cptur mgtic trip dt Th dt i th pd up th chi
t crimi wh u mgtic trip cdr t rict
dupict crd nt urpriigy, uch icidt r mt
tiry citd with mr ui r idpdt c
rchi rg rd
o th thr hd, wh rgur crprt d ur r ivvd
(12%), thir cti r quit dirt I mt itc, th
mpy u ytm cc r thr privig i rdr t
t itiv irmti amt th cri itd
v r mtivtd y ci r pr gi
outid th vriti mtid v, w rvd mixtur
xcutiv, mgr, d uprvir (ttig 18%) lik th
rgur mpy d d ur, th idividu r xpitig ytm cc d privig r prgi r thr yr ruig, w hv dci i c d ccutig t sti, th diy rpiiiti
th k, which ivv th vright d/r dirct cc t vu t d irmti, put thm i
piti t gg i mutitud midd o ct hp ut wdr wht th dt wud hw i w wr t
trck th typ iidr thrugh th vr-chgig rgutry dcp, rm r G-stg, t
Grhm-lch-biy, d w t Ddd-rk Th d fw th umr wud hv vry itrtig
t wit
iy, it might gigt u i w didt prvid m mti ytm r twrk dmiitrtr Th
truty tchgic wrrir hp mk IT rgizti rud th wrd hum with prductivity, d thy
ttim p th prvri ky-t-th-kigdm Thugh w hv c i which thy wr
rpi r dt rch, thy hv ry rgitrd mr th ip th rdr i th t cup yr
W mtid i rir cti tht w hv yzd th icidt r ig rgizti vr th cur
yr I th dtt, dmi-rtd icidt ccur rquty, ut thy r mty th viiity d
dwtim vrity
Partner Agents (
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
37/92
23
a w xmp hud hp:
1 I th prtr cti r th dirct cu th icidt, thy aRe thrt gt
2 I th prtr cti crt circumtc r cditi thti/wh ctd up y thr gtwth primry chi thrt vt t prcd, th prtr i noT thrt gt W cidr thi t
cditi vt, d th prtr c viwd ctriutig gt Thir cti hd mr t d with th
victim curity r vuriity th th thrt it
3 I th prtr w, ht, r mg th victim t ivvd i icidt, it d noT criy w
tht thy r thrt gt Thy my (i thir cti d t th icidt), ut thy r t guity impy y
thi citi
exmp #2 m t tickig pit r mt pp T urthr
iutrt wht w m, t u cidr th wig cri
supp third prty rmty dmiitr cutmr dvic vr
th Itrt vi m kid rmt cc r dktp rvicurthr upp thi prtr rgt t r micgurd
curity ttig (t pick mthig dmi wud vr d, ik
gctig t chg dut crdti) Th, d hd, tht
dvic gt pppd withi 30 cd ig idtid wh
rgizd crimi grup prtig ut etr eurp gu th urm/pwrd a thi, cur,
i pury gurtiv; thi wud vr ctuy hpp i th r wrd (wik, wik) I uch circumtc, th
crimi grup wud th y thrt gt o cud cptur th prtr [idirct] ctriuti uig th
VeRIs-pcid r ctriutd t cditi vt() g with uit errr thrt cti Thi
tiy t tht th prtr crtd vuriity (th cditi vt) tht w xpitd y th xtr
thrt gt
a i , th rti md r th t tw yr rmi tru: rgizti tht uturc thir IT mgmtd upprt uturc grt d trut t thir ch prtr a prtr x curity prctic d
pr gvrct utid th victim ctr r xprtir rquty ctyt i curity icidt
nvrth, uturcig c hv my t, d th t wy t cutrct th citd rik i thrugh
third-prty pici, ctrct, ctr, d mt o cvt uturcig i tht yu c uturc
ui ucti, ut yu ct uturc th rik d rpiiity t third prty Th mut r y
th rgizti tht k th pputi t trut thy wi d th right thig with thir dt
t ai
Thrt cti dcri wht th thrt gt did t cu r t ctriut t th rch evry dt rch
cti r mr thm, cuig prctg t dd up t mr th 100% Withi VeRIs, cti r
cid it v high-v ctgri (ch which wi cvrd i dti i th wig cti)
Hckig d mwr hv trditiy d th pck, ut thi yr thyv
pud wy rm th grup v urthr whi wvig Hi Mm! t th
cmr out th 855 icidt thi yr, 81% vrgd hckig, 69%
icudd mwr, d impriv 61% rch turd
cmiti hckig tchiqu d mwr out th 602 icidt
with tw r mr vt, hckig d mwr wr ud i 86% th
ttck (mr th rtihip thrt cti c ud i
appdix a)
a prtr x curity
prctic d pr
gvrct utid
th victim ctr r
xprtir rquty
ctyt i curity icidt
Hckig d mwr hv
trditiy d th pck,
ut thi yr thyv pud
wy rm th grup v
urthr whi wvig Hi
Mm! t th cmr
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
38/92
24
ovr, wv th ctgri uc rud it vr th yr Miu d ci tctic tppd up thir
gm i 2009 whi phyic tchiqu md rpct pprc th yr tr tht Th rthr hrp drp
i phyic ttck thi pt yr my du t g w rcmt gci uccuy fippig th rdm
it th ivvd with kimmig icidt Thy cud hviy th crimi rig hid th kimmig
ctiviti rthr th idividu icidt thmv, d w my trtig t th ruit th rt
e
Mi
H
M
s
Ph
er
2010
49%
50%11%
17%
29%
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
39/92
25
Whtvr th xpti, thig i uty cr: w dit pttr mrgig vr th yr with
rpct t thrt cti cr th u dtt
I w k t iggr rgizti, hwvr, w d ighty dirt pictur igur 18 hit t viu d
imp truth wrth mtiig: rg cmpy prm r dirt th m cmpy prm Prhp it
cu trpri hv th IT t t ddr m th w-hgig ruit (r, wht i t mr prp, th
ruit rttig i th yrd) Hwvr, t gt t th cti itm r rg vru m rgizti, w
mut k t th rkdw thrt cti yd th high-v ctgri ( T 7)
rk vi c B rd
1 Kyggr/rm-grr/spywr (capture data rom user activity) mw 48% 35%
2 expitti dut r gu crdti hki 44% 1%
3 U t gi crdti hki 32% 82%
4 sd dt t xtr it/tity mw 30%
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
40/92
26
Cmpi, ig d m, w ir mut miciu cd digd t cptur ur iput, cmmy cd
kyggrthy wr prt i mt h rch (48%) Thi mt iky ctriutd t th u
t crdti i rughy ut thr icidt athr citt thrt cti r rg d m
cmpi w th itti (d xpitti) ckdr; th wr vrgd i ut vry v
ttck W c gt r th dirig thrt dcp ig d m cmpi y cmprig T 8,
which it tp thrt cti ud git rgr trpri
Puig irmti rm T 8 i itt prmtic ic th umr r mr (mr dtt hv rgr
wig i mpig rrr), ut w c m itrtig trd Th rt thig w tic i th icrdprc ci tctic; diprprtit 22% icidt icrprtd th withi rgr rgizti
Thi cud cu thy hv ttr primtr d (rcig ttckr t trgt hum itd ytm)
r tht mpy rgr cmpi hv mr cmpx ci w (thy r iky t kw th c-
wrkr thy hud (r hud t) trut)
athr itrtig tk-wy rm T 8 i th ck xpitti dut crdti It drppd th rdr
d w th 60 rg cmpy rch icudd tht thrt cti agi, thi cud cu rgr
rgizti hv th tt d rurc t tck m th mi tk r it cud tht rgr cmpi
iky hv mr th ig dut pwrd tw th ttckr d th crw jw Thi rirc th d
r th d guy t t gi crdti t rch rgr rgizti I th pg tht w, w dig dpr it
ch th ctgri t wht w c r ut th cti dig t dt rch i 2011
Malware (69% o breaches, 95% o records)
Mwr i y iciu tw, cript, r cd dvpd r ud r th purp cmprmiig r hrmig
irmti t withut th wr irmd ct Mwr ctrd i vr tw-third th 2011
cd d 95% t dt Up idticti mwr durig ivtigti, th Vriz RIsK tm
cduct jctiv yi t ciy d crti it cpiiti with rgrd t th cmprmi t hd Th
RIsK tm u th yi t it th victim with ctimt, rmv, d rcvry th icti Mwr
c cid i my wy, ut w utiiz tw-dimi pprch withi th VeRIs rmwrk tht
idti th icti vctr d th uctiity ud t rch dt Th tw dimi r dircty rvt
t idtiyig pprprit dtctiv d prvtiv mur r mwr
rko
rk vi c B rd
1 3 U t gi crdti hki 30% 84%
2 6 bckdr (allows remote access/control) mw 18% 51%
3 7 expitti ckdr r cmmd d ctr ch hki 17% 51%
4 9 Tmprig pi 17%
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
41/92
27
mw Ii v
Much it h i th pt, th mt cmm mwr
icti vctr ctiu t itti r ijcti y
rmt ttckr Thi cvr cri i which ttckr
rch ytm vi rmt cc d th dpy
mwr r ijct cd vi w ppicti vuriiti
ovr th pt w yr, th dt hw tht thi icti
vctr ctiu upwrd trd attckr utiizd thi
vctr i ighty mr th h mwr-rtd c i
2009, ut 80% i 2010, d tggrig 95% i th pt
yr It ppurity icti vctr iky tm th
rm th ttckr dir t rmi i ctr tr giig
cc t ytm, d it u i high-vum utmtd ttck git rmt cc rvic Thi i mt
vidt i th rdr ciy-mtivtd crim (uch pymt crd rch) whr mwr i t typicy
th iiti vctr itrui, ut rthr i itd y th ttckr tr giig cc Thi i t wy tru r
thr gr ttck With IP tht cri, mwr t prvid th try pit tr uccu ci
ttck uch phihig -mi I th c, gd d-i-dpth ctr, t jut tiviru twr, cud
id i kpig th ttckr ut i th rt pc
Wh cuig dt cmprmi ituti, -mi i cmm icti vctr My rgizti
mpy tiviru prduct d thr trig mchim t uccuy ck r qurti mii mwr
tri ftig rud th Itrt It i highy iky tht -mi wud much rgr vctr i th ctr
wr rvkd
Icti vi th w dcrd gi thi pt yr i prprti t thr vctr W divid w-d mwr
it tw uctgri: cd tht i ut-xcutd (k driv-y dwd) d twr tht th ur d t
xcut (cickig miciu hyprik) W riz tht w-d mwr rut i cut ictd
ytm, ut y prti th d t crmd dt tht
i 19. mw ii b b wii mw
Ijctd yrmt ttckr
(i.e., via SQLi)
Itd yrmt ttckr(ater system access)
Itd ythr mwr
e-mi viur-xcutd
ttchmt
W/Itrt(auto-executed/drive
by inection)
W/Itrt(user-executed or
downloaded)
2%
12%
1%
18%
1%
18%
1%
12%
-
7/31/2019 Rp Data Breach Investigations Report 2012 en Xg
42/92
28
r my w-d typ mwr, ur i rquird t viit crti ictd wit Thi crtiy wrk r
m cri, uch pwrd-tig Zu mwr, ut t r rg-c cmprmi pymt
ytm Mt th ictd ytm ppr impy t ji th thud tt ud r DDs d thr
typ ttck
r rgr rgizti, th ditriuti mwr
icti vctr i -idd; th dt hw highr
rquci w d -mi icti vctr d wr
rquci mwr itd dircty y ttckr our
dig thry r thi hit i tht ttckr my d it
ir t gt ur t it mwr rthr th rch
th primtr d rgr rgizti thrugh
dirct ttck Th mut ukw icti vctr i
ttriut t my dirt ctr Mt t it i du
t ck vidc ( g dt, ti-ric y th ttckr, d/r prmtur c-up) th ytm Ith c, it i kw tht mwr w prt, ut th icti vctr ct ccuivy dtrmid
mw ii
o qu imprtc t th pthwy mwr icti r th ucti xhiitd c dpyd withi
victim virmt W mty cu mwr tht dircty rt t th rch, ut w t d rt
xtru miciu r uwtd durig th cur ivtigti Thi rv dditi idicti
idquty mgd ytm d ck curity prc athugh mwr rquty utiiz vr
mthd t hrm ytm, it ti rv r mr thr ic purp i dt rch cri: r
prg cc, cptur dt, r urthr th ttck i m thr mr
Pr igur 20, th thr mt cmmy ud ucti mwr ctiu t ggig kytrk (d thr
rm ur iput), dig dt t xtr cti, d ckdr It i imprtt t t tht thuctiiti r mutuy xcuiv d it cmm r ig pic mwr t tur vr cmpt
a mtid, kyggr pprd i vr tw-third mwr-rtd c, ighty mr th th prviu
yr Th t icud cmmrciy vi twr pckg, which r ry vi th w, d r
which uy ucti pirtd vri c ud pr-t-pr (P2P) twrk d trrt it sm
th kyggr w th ttckr t uid pr-cgurd rmt itti pckg tht c dpyd
trgt ytm Thir viiity, u, d cgurti, w thir ti-ric cpiiti, uch
hidi