Rp Data Breach Investigations Report 2012 en Xg

7/31/2019 Rp Data Breach Investigations Report 2012 en Xg

1/92

1

2012 DBIR: EXECUTIVE SUMMARY2011 will almost certainly go down as a year o civil and cultural uprising. Citizens revolted, challenged, and even

overthrew their governments in a domino eect that has since been coined the Arab Spring, though it stretched

beyond a single season. Those disgruntled by what they perceived as the wealth-mongering 1%, occupied Wall

Street along with other cities and venues across the globe. There is no shortage o other examples.

This unrest that so typied 2011 was not, however,

constrained to the physical world. The online world was rie

with the clashing o ideals, taking the orm o activism,

protests, retaliation, and pranks. While these activitiesencompassed more than data breaches (e.g., DDoS attacks),

the thet o corporate and personal inormation was certainly a core tactic. This re-imagined and re-invigorated

specter o hacktivism rose to haunt organizations around the world. Many, troubled by the shadowy nature o its

origins and proclivity to embarrass victims, ound this trend more rightening than other threats, whether real or

imagined. Doubly concerning or many organizations and executives was that target selection by these groups

didnt ollow the logical lines o who has money and/or valuable inormation. Enemies are even scarier when you

cant predict their behavior.

It wasnt all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method

du jour o high-volume, low-risk attacks against weaker targets. Much less requent, but arguably more damaging,

were continued attacks targeting trade secrets, classied inormation, and other intellectual property. We

certainly encountered many aces, varied tactics, and diverse motives in the past year, and in many ways, the 2012

Data Breach Investigations Report (DBIR) is a recounting o the many acets o corporate data thet.

855 incidents, 174 million compromised records.

This year our DBIR includes more incidents, derived rom more contributors, and represents a broader and more

diverse geographical scope. The number o compromised records across these incidents skyrocketed back up to

174 million ater reaching an all-time low (or high, depending on your point o view) in last years report o our

million. In act, 2011 boasts the second-highest data loss total since we started keeping track in 2004.

2012 DATA BREACH

INVESTIGATIONS REPORTA study conducted by the Verizon RISK Team withcooperation rom the Australian Federal Police, DutchNational High Tech Crime Unit, Irish Reporting andInormation Security Service, Police Central e-CrimeUnit, and United States Secret Service.

This re-imagined and re-invigorated

specter o hacktivism rose to haunt

organizations around the world.


2/92

2

Once again, we are proud to announce that the United States Secret Service (USSS) and the Dutch National High

Tech Crime Unit (NHTCU) have joined us or this years report. We also welcome the Australian Federal Police (AFP),

the Irish Reporting & Inormation Security Service (IRISS), and the Police Central eCrimes Unit (PCeU) o the

London Metropolitan Police. These organizations have broadened the scope o the DBIR tremendously with regard

to data breaches around the globe. We heartily thank them all or their spirit o cooperation, and sincerely hope this

report serves to increase awareness o cybercrime, as well as our collective ability to ght it.

With the addition o Verizons 2011 caseload and data contributed rom the organizations listed above, the DBIRseries now spans eight years, well over 2000 breaches, and greater than one billion compromised records. Its been

a ascinating and inormative journey, and we are grateul that many o you have chosen to come along or the ride.

As always, our goal is that the data and analysis presented in this report prove helpul to the planning and security

eorts o our readers. We begin with a ew highlights below.

DATA COLLECTIONThe underlying methodology used by Verizon remains relatively unchanged rom previous years. All results are based

on rst-hand evidence collected during paid external orensic investigations conducted by Verizon rom 2004 to

2011. The USSS, NHTCU, AFP, IRISS, and PCeU diered in precisely how they collected data contributed or this

report, but they shared the same basic approach. All leveraged VERIS as the common denominator but used varying

mechanisms or data entry. From the numerous investigations worked by these organizations in 2011, in alignment

with the ocus o the DBIR, the scope was narrowed to only those involving conrmed organizational data breaches.

A BRIEF PRIMER ON VERIS

VERIS is a ramework designed to provide a common language or describing security incidents in a structured and

repeatable manner. It takes the narrative o who did what to what (or whom) with what result and translates it into the

kind o data you see presented in this report. Because many readers asked about the methodology behind the DBIR

and because we hope to acilitate more inormation sharing on security incidents, we have released VERIS or ree

public use. A brie overview o VERIS is available on ourwebsite1 and the complete ramework can be obtained rom

the VERIS community wiki.2 Both are good companion reerences to this report or understanding terminology

and context.

1 http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-ramework_en_xg.pd

2 https://verisramework.wiki.zoho.com/

These organizations have broadened the scope o the DBIR

tremendously with regard to data breaches around the globe.

We heartily thank them all or their spirit o cooperation, and

sincerely hope this report serves to increase awareness o

cybercrime, as well as our collective ability to ght it.
http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttp://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/https://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdf


3/92

3

SUMMARY STATISTICS

WHO IS BEHIND DATA BREACHES?

98% stemmed rom external agents (+6%)No big surprise here; outsiders are still dominating the sceneo corporate data thet. Organized criminals were up to theirtypical misdeeds and were behind the majority o breaches in2011. Activist groups created their air share o misery andmayhem last year as welland they stole more data than anyother group. Their entrance onto the stage also served tochange the landscape somewhat with regard to themotivations behind breaches. While good old-ashionedgreed and avarice were still the prime movers, ideologicaldissent and schadenreude took a more prominent roleacross the caseload. As one might expect with such a rise inexternal attackers, the proportion o insider incidentsdeclined yet again this year to a comparatively scant 4%.

4% implicated internal employees (-13%)


4/92

4

WHERE SHOULD MITIGATION EFFORTSBE FOCUSED?

Once again, this study reminds us that our proession has

the necessary tools to get the job done. The challenge orthe good guys lies in selecting the right tools or the job athand and then not letting them get dull and rusty over time.Evidence shows when that happens, the bad guys are quickto take advantage o it.

As youll soon see, we contrast ndings or smaller and largerorganizations throughout this report. You will get a sense orhow very dierent (and in some cases how very similar) theirproblems tend to be. Because o this, it makes sense that thesolutions to these problems are dierent as well. Thus, mosto the recommendations given at the end o this report relateto larger organizations. Its not that were ignoring the smallerguysits just that while modern cybercrime is a plague upontheir house, the antidote is airly simple and almost universal.

Larger organizations exhibit a more diverse set o issues thatmust be addressed through an equally diverse set ocorrective actions. We hope the ndings in this report help toprioritize those eorts, but truly tailoring a treatmentstrategy to your needs requires an inormed and introspectiveassessment o your unique threat landscape.

Smaller organizationsImplement a rewall or ACL on remote access services

Change deault credentials o POS systems and otherInternet-acing devices

I a third party vendor is handling the two items above,make sure theyve actually done them

Larger organizations

Eliminate unnecessary data; keep tabs on whats let

Ensure essential controls are met; regularly check thatthey remain so

Monitor and mine event logs

Evaluate your threat landscape to prioritize yourtreatment strategy

Reer to the conclusion o this report or indicators andmitigators or the most common threats

THREAT EVENT OVERVIEWIn last years DBIR, we presented the VERIS threat event grid populated with requency counts or the rst time.

Other than new data sharing partners, it was one o the most well received eatures o the report. The statistics

throughout this report provide separate analysis o the Agents, Actions, Assets, and Attributes observed, but the

grid presented here ties it all together to show intersections between the 4 As. It gives a single big-picture view o

the threat events associated with data breaches in 2011. Figure 1 (overall dataset) and Figure 2 (larger orgs) use

the structure o Figure 1 rom the Methodology section in the ull report, but replace TE#s with the total number

o breaches in which each threat event was part o the incident scenario 3. This is our most consolidated view o the

855 data breaches analyzed this year, and there are several things worth noting.

When we observe the overall dataset rom a threat management perspective, only 40 o the 315 possible threat

events have values greater than zero (13%). Beore going urther, we need to restate that not all intersections in

the grid are easible. Readers should also remember that this report ocuses solely on data breaches. During

engagements where we have worked with organizations to VERIS-ize all their security incidents over the course

o a year, its quite interesting to see how dierent these grids look when compared to DBIR datasets. As one mighttheorize, Error and Misuse as well as Availability losses prove much more common.

3 In other words, 381 of the 855 breaches in 2011 involved external malware that affected the confidentiality of a server (the top left threat event).

The results or the overall dataset share many similarities with our last

report. The biggest changes are that hotspots in the Misuse and Physical

areas are a little cooler, while Malware and Hacking against Servers and

User Devices are burning brighter than ever.


5/92

5

Now back to the grids, where the results or the overall dataset share many similarities with our last report. The

biggest changes are that hotspots in the Misuse and Physical areas are a little cooler, while Malware and Hacking

against Servers and User Devices are burning brighter than ever. Similarly, the list o top threat events in Table 3 in

the ull report eels eerily amiliar.

Separating the threat events or larger organizations in Figure 2 yields a ew additional talking points. Some might

be surprised that this version o the grid is less covered than Figure 1 (22 o the 315 events 7% were seen at

least once). One would expect that the bigger attack surace and stronger controls associated with larger

organizations would spread attacks over a greater portion o the grid. This may be true, and our results shouldnt be

used to contradict that point. We believe the lower density o Figure 2 compared to Figure 1 is mostly a result o

size dierences in the datasets (855 versus 60 breaches). With respect to threat diversity, its interesting that the

grid or larger organizations shows a comparatively more even distribution across in-scope threat events (i.e., less

extreme clumping around Malware and Hacking). Based on descriptions in the press o prominent attacks leveraging

orms o social engineering and the like, this isnt a shocker.

Malware Hacking Social Misuse Physical Error Environmental

Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt

Servers

Condentiality& Possession

381 518 1 9 8 1 2 1

Integrity &Authenticity

397 422 1 6 1 1

Availability& Utility

2 6 5

Networks


1


1 1


1 1 1

UserDevicesCondentiality

& Possession356 419 1 86

Integrity &

Authenticity

355 355 1 1 86


1 3

OfineDataCondentiality

& Possession23 1



People


30 1


59 2


Figure 1. VERIS A4 Grid depicting the requency o high-level threat events


6/92

6

Naturally, the ull report digs into the threat agents, actions, and assets involved in 2011 breaches in much more

detail. It also provides additional inormation on the data collection methodology or Verizon and the

other contributors.

2012 DBIR: CONCLUSIONS AND RECOMMENDATIONSThis year, were including something new in this section. However, being the environmentally conscious group that

we are, were going to recycle this blurb one more time:

Creating a list o solid recommendations gets progressively more difcult every year we publish this

report. Think about it; our fndings shit and evolve over time but rarely are they completely new orunexpected. Why would it be any dierent or recommendations based on those fndings? Sure, we could

wing it and prattle o a lengthy list o to-dos to meet a quota but we fgure you can get that elsewhere.

Were more interested in having merit than having many.

Then, were going to reduce and reuse some o the material we included back in the 2009 Supplemental DBIR, and

recast it in a slightly dierent way that we hope is helpul. As mentioned, weve also produced something new, but

made sure it had a small carbon (and page space) ootprint. I you combine that with the energy saved by avoiding

investigator travel, shipping evidence, and untold computational cycles, these recommendations really earn their

green badge.

Malware Hacking Social Misuse Physical Error Environmental

Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt Ext Int Prt

Servers


7 33 3 2 1


10 18 1


1

Networks




1 1

User

DevicesCondentiality

& Possession3 6 10

Integrity &

Authenticity4 2 10


1

OfineDataCondentiality

& Possession1 1



People


7


11


Figure 2. VERIS A4 Grid depicting the requency o high-level threat events LARGER ORGS


7/92

7

Lets start with the something new.

Weve come to the realization that many

o the organizations covered in this

report are probably not getting the

message about their security. Were

talking about the smaller organizations

that have one (or a handul) o POS

systems. The cutout below was created

especially or them and we need your

help. We invite you, our reader, to cut it

out, and give it to restaurants, retailers,

hotels, or other establishments that you

requent. In so doing, youre helping to

spread a message that they need to hear. Not to mention, its a message that the rest o us need them to hear too.

These tips may seem simple, but all the evidence at our disposal suggests a huge chunk o the problem or smaller

businesses would be knocked out i they were widely adopted.

POINT-OF-SALE SECURITY TIPSGreetings. You were given this card because someone likes your establishment. They wanted to helpprotect your business as well as their payment and personal inormation.

It may be easy to think thatll never happen to me when it comes to hackers stealing your inormation. Butyou might be surprised to know that most attacks are directed against small companies and most can beprevented with a ew small and relatively easy steps. Below youll fnd a ew tips based on Verizons researchinto thousands o security breaches aecting companies like yours that use point-o-sale (POS) systemsto process customer payments. I none o it makes sense to you, please pass it on to management.

9Change administrative passwords on all POS systems Hackers are scanning the Internet or easily guessable passwords.

9 Implement a frewall or access control list on remote access/administration services I hackers cant reach your system, they cant easily steal rom it.

Ater that, you may also wish to consider these: Avoid using POS systems to browse the web (or anything else on the Internet or that matter) Make sure your POS is a PCI DSS compliant application (ask your vendor)

I a third-party vendor looks ater your POS systems, we recommend asking them to confrm that thesethings have been done. I possible, obtain documentation. Following these simple practices will save a loto wasted money, time, and other troubles or your business and your customers.

For more inormation, visit www.verizon.com/enterprise/databreach(but not rom your POS).

Figure 3. Cost o recommended preventive measures by percent o breaches*

* Verizon caseload only

ALL ORGS LARGER ORGS

3% Dicult

and expensive

3% Unknown

63%Simple and

cheap

31%Intermediate

40%Simple and

cheap55%Intermediate

5% Dicult and expensive

The cutout below was created especially or smaller organizations

and we need your help. We invite you, our reader, to cut it out, and

give it to restaurants, retailers, hotels, or other establishments

that you requent.
http://www.verizon.com/enterprise/databreachhttp://www.verizon.com/enterprise/databreachhttp://www.verizon.com/enterprise/databreach


8/92

8

For those who dont remember (tsk, tsk), the 2009 Supplemental DBIR was an encyclopedia o sorts or the top

threat actions observed back then. Each entry contained a description, associated threat agents, related assets,

commonalities, indicators, mitigators, and a case study. To provide relevant and actionable recommendations to

larger organizations this year, were repurposing the indicators and mitigators part rom that report.

Indicators: Warning signs and controls that can detect or indicate that a threat action is underway or

has occurred.

Mitigators: Controls that can deter or prevent threat actions or aid recovery/response (contain damage)

in the wake o their occurrence.

Our recommendations will be driven o o Table 7 in the ull report, which is in the Threat Action Overview section,

and shows the top ten threat actions against larger organizations. Rather than repeat the whole list here, well

summarize the points we think represent the largest opportunities to reduce our collective exposure to loss:

Keyloggers and the use o stolen credentials

Backdoors and command control

Tampering

Pretexting

Phishing

Brute orce

SQL injection

Hacking: Use o stolen credentials

Description Reers to instances in which an attacker gains access to a protected system or device using

valid but stolen credentials.

Indicators Presence o malware on system; user behavioral analysis indicating anomalies (i.e.,

abnormal source location or logon time); use o last logon banner (can indicateunauthorized access); monitor all administrative/privileged activity.

Mitigators Two-actor authentication; change passwords upon suspicion o thet; time-o-use rules; IP

blacklisting (consider blocking large address blocks/regions i they have no legitimate

business purpose); restrict administrative connections (i.e., only rom specic internal

sources). For preventing stolen credentials, see Keyloggers and Spyware, Pretexting, and

Phishing entries.

Malware: Backdoors, Command and Control

Hacking: Exploitation o backdoor or command and control channel

Description Tools that provide remote access to and/or control o inected systems. Backdoor and

command/control programs bypass normal authentication mechanisms and other securitycontrols enabled on a system and are designed to run covertly.

Indicators Unusual system behavior or perormance (several victims noted watching the cursor

navigating les without anyone touching the mouse); unusual network activity; IDS/IPS (or

non-customized versions); registry monitoring; system process monitoring; routine log

monitoring; presence o other malware on system; AV disabled.

During investigations involving suspected malware we commonly examine active system

processes and create a list o all system contents sorted by creation/modication date.

These eorts oten reveal malicious les in the Windows\system32 and user

temporary directories.


9/92

9

Malware: Backdoors, Command and Control

Hacking: Exploitation o backdoor or command and control channel

Mitigators Egress ltering (these tools oten operate via odd ports, protocols, and services); use o

proxies or outbound trac; IP blacklisting (consider blocking large address blocks/regions

i they have no legitimate business purpose); host IDS (HIDS) or integrity monitoring;

restrict user administrative rights; personal rewalls; data loss prevention (DLP) tools;

anti-virus and anti-spyware (although increased customization rendering AV less

eectivewe discovered one backdoor recognized by only one o orty AV vendors we

tried); web browsing policies.

Physical: Tampering

Description Unauthorized altering or interering with the normal state or operation o an asset. Reers to

physical orms o tampering rather than, or instance, altering sotware or system settings.

Indicators An unplanned or unscheduled servicing o the device. Presence o scratches, adhesive

residue, holes or cameras, or an overlay on keypads. Dont expect tampering to be obvious

(overlay skimmers may be custom made to blend in with a specic device while internal

tampering may not be visible rom the outside). Tamper-proo seal may be broken. In some

cases an unknown Bluetooth signal may be present and persist. Keep in mind that ATM/gas

skimmers may only be in place or hours, not days or weeks.

Mitigators Train employees and customers to look or and detect signs o tampering. Organizations

operating such devices should conduct examinations throughout the day (e.g., as part o

shit change). As inspection occurs, keep in mind that i the device takes a card and a PIN,

that both are generally targeted (see indicators).

Set up and train all sta on a procedure or service technicians, be sure it includes a method

to schedule, and authenticate the technician and/or maintenance vendors.

Push vendor or anti-tamper technology/eatures or only purchase POS and PIN devices

with anti-tamper technology (e.g., tamper switches that zero out the memory, epoxy

covered electronics).

Keylogger/Form-grabber/Spyware

Description Malware that is specically designed to collect, monitor, and log the actions o a system user.

Typically used to collect usernames and passwords as part o a larger attack scenario. Also

used to capture payment card inormation on compromised POS devices. Most run covertly to

avoid alerting the user that their actions are being monitored.

Indicators Unusual system behavior or perormance; unusual network activity; IDS/IPS (or non-

customized versions); registry monitoring; system process monitoring; routine log

monitoring; presence o other malware on system; signs o physical tampering (e.g.,

attachment o oreign device). For indicators that harvested credentials are in use, see

Unauthorized access via stolen credentials.

During investigations involving suspected malware we commonly examine active system

processes and create a list o all system contents sorted by creation/modication date.

These eorts oten reveal malicious les in the Windows\system32 and user

temporary directories.


10/92

10

Keylogger/Form-grabber/Spyware

Mitigators Restrict user administrative rights; code signing; use o live boot CDs; onetime passwords;

anti-virus and anti-spyware; personal rewalls; web content ltering and blacklisting;egress ltering (these tools oten send data out via odd ports, protocols, and services); host

IDS (HIDS) or integrity monitoring; web browsing policies; security awareness training;

network segmentation.

Pretexting (Social Engineering)

Description A social engineering technique in which the attacker invents a scenario to persuade,

manipulate, or trick the target into perorming an action or divulging inormation. These

attacks exploit bugs in human hardware and, unortunately, there is no patch or this.

Indicators Very dicult to detect as it is designed to exploit human weaknesses and bypasses

technological alerting mechanisms. Unusual communication, requests outside o normal

workfow, and instructions to provide inormation or take actions contrary to policies shouldbe viewed as suspect. Call logs; visitor logs; e-mail logs.

Mitigators General security awareness training; clearly dened policies and procedures; do not train

sta to ignore policies through ocial actions that violate them; train sta to recognize and

report suspected pretexting attempts; veriy suspect requests through trusted methods and

channels; restrict corporate directories (and similar sources o inormation) rom public access.

Brute-orce attack

Description An automated process o iterating through possible username/password combinations until

one is successul.

Indicators Routine log monitoring; numerous ailed login attempts (especially those indicating

widespread sequential guessing); help desk calls or account lockouts.Mitigators Technical means o enorcing password policies (length, complexity, clipping levels); account

lockouts (ater x tries); password throttling (increasing lag ater successive ailed logins);

password cracking tests; access control lists; restrict administrative connections (i.e., only

rom specic internal sources); two-actor authentication; CAPTCHA.

SQL injection

Description SQL Injection is an attack technique used to exploit how web pages communicate with

back-end databases. An attacker can issue commands (in the orm o specially crated SQL

statements) to a database using input elds on a website.

Indicators Routine log monitoring (especially web server and database); IDS/IPS.

Mitigators Secure development practices; input validation (escaping and whitelisting techniques); useo parameterized and/or stored procedures; adhere to principles o least privilege or

database accounts; removal o unnecessary services; system hardening; disable output o

database error messages to the client; application vulnerability scanning; penetration

testing; web application rewall.


11/92

11

Unauthorized access via deault credentials

Description Reers to instances in which an attacker gains access to a system or device protected by

standard preset (and thereore widely known) usernames and passwords.Indicators User behavioral analysis (e.g., abnormal logon time or source location); monitor all

administrative/privileged activity (including third parties); use o last logon banner

(can indicate unauthorized access).

Mitigators Change deault credentials (prior to deployment); delete or disable deault account; scan or

known deault passwords (ollowing deployment); password rotation (because it helps

enorce change rom deault); inventory o remote administrative services (especially those

used by third parties). For third parties: contracts (stipulating password requirements);

consider sharing administrative duties; scan or known deault passwords (or assets

supported by third parties).

Phishing (and endless *ishing variations)Description A social engineering technique in which an attacker uses raudulent electronic communication

(usually e-mail) to lure the recipient into divulging inormation. Most appear to come rom a

legitimate entity and contain authentic-looking content. The attack oten incorporates a

raudulent website component as well as the lure.

Indicators Dicult to detect given the quasi-technical nature and ability to exploit human weaknesses.

Unsolicited and unusual communication; instructions to provide inormation or take actions

contrary to policies; requests outside o normal workfow; poor grammar; a alse sense o

urgency; e-mail logs.

Mitigators General security awareness training; clearly dened policies and procedures; do not train

sta to ignore policies through ocial actions that violate them; policies regarding use o

e-mail or administrative unctions (e.g., password change requests, etc.); train sta torecognize and report suspected phishing messages; veriy suspect requests through trusted

methods and channels; congure e-mail clients to render HTML e-mails as text; anti-spam;

e-mail attachment virus checking and ltering.


12/92

verizon.com/enterprise 2012 Verizon. All Rights Reserved. MC15244 04/12. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identiying Verizons products and

services are trademarks and service marks or registered trademarks and service marks o Verizon Trademark Services LLC or its afliates in the United States and/or other countries. All

other trademarks and service marks are the property o their respective owners.


13/92


14/92

2012 Data BREaCH InvEstIgatIons REpoRt

A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police,

Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service,

Police Central e-Crime Unit, and United States Secret Service.


15/92

Table o ConTenTs

excutiv summry 2

Mthdgy 5

Ciyig Icidt Uig VeRIs 6

a Wrd smp bi 8

R u t d a y i 9

Dmgrphic 10

2011 DbIR: Thrt evt ovrviw 13

Thrt agt 16

brch siz y Thrt agt 18

extr agt (98% rch, 99+% rcrd) 19Itr agt (4% rch,


16/92

2

executIve summary2011 wi mt crtiy g dw yr civi d cutur upriig Citiz rvtd, chgd, d v

vrthrw thir gvrmt i dmi ct tht h ic cid th ar sprig, thugh it trtchdyd ig Th digrutd y wht thy prcivd th wth-mgrig 1% ccupid W

strt g with thr citi d vu cr th g Thr i hrtg thr xmp

Thi urt tht typid 2011 w t, hwvr, ctrid t th phyic wrd Th i wrd w ri

with th chig id, tkig th rm ctivim, prtt, rtiti, d prk Whi th ctiviti

cmpd mr th dt rch (g, DDs ttck),

th tht crprt d pr irmti w

crtiy cr tctic Thi r-imgid d r-ivigrtd

pctr hcktivim r t hut rgizti rud

th wrd My, trud y th hdwy tur it

rigi d prcivity t mrr victim, ud thi trd mr rightig th thr thrt, whthr r r

imgid Duy ccrig r my rgizti d xcutiv w tht trgt cti y th grup

didt w th gic i wh h my d/r vu irmti emi r v crir wh yu

ct prdict thir hvir

It wt prtt d uz, hwvr Mii cyrcrimi ctiud t utmt d trmi thir mthd

du jur high-vum, w-rik ttck git wkr trgt Much rqut, ut rguy mr dmgig,

wr ctiud ttck trgtig trd crt, cid irmti, d thr itctu prprty W

crtiy cutrd my c, vrid tctic, d divr mtiv i th pt yr, d i my wy, th 2012

Dt brch Ivtigti Rprt (DbIR) i rcutig th my ct crprt dt tht

855 s, 174 ll s s.

Thi yr ur DbIR icud mr icidt, drivd rm mr ctriutr, d rprt rdr d mr

divr ggrphic cp Th umr cmprmid rcrd cr th icidt kyrcktd ck up t

174 mii tr rchig -tim w (r high, dpdig yur pit viw) i t yr rprt ur

mii I ct, 2011 t th cd-hight dt tt ic w trtd kpig trck i 2004

oc gi, w r prud t uc tht th Uitd stt scrt srvic (Usss) d th Dutch nti High

Tch Crim Uit (nHTCU) hv jid u r thi yr rprt W

wcm th autri dr Pic (aP), th Irih Rprtig &

Irmti scurity srvic (IRIssCeRT), d th Pic Ctr

-Crim Uit (PCU) th ld Mtrpit Pic t

ii bdd DBIr d

wi d d b d b. W i k

i ii i, d i i i w bi, w i

bii f i.

With th dditi Vriz 2011 cd d dt ctriutd

rm th rgizti itd v, th DbIR ri w p ight yr, w vr 2000 rch, d grtr

th ii cmprmid rcrd It citig d irmtiv jury, d w r grtu tht

my yu hv ch t cm g r th rid a wy, ur g i tht th dt d yi prtd i

thi rprt prv hpu t th pig d curity rt ur rdr W gi with w highight w

Thi r-imgid d r-ivigrtd

pctr hcktivim r t hut

rgizti rud th wrd

It wt prtt d

uz, hwvr Mii

cyrcrimi ctiud t

utmt d trmi thir

mthd du jur high-vum,w-rik ttck git

wkr trgt


17/92

3

Who Is BehInD Data Breaches?

98% tmmd rm xtr gt (+6%)

n ig urpri hr; utidr r ti dmitig th c crprt dt tht orgizd crimi wr up t thir

typic midd d wr hid th mjrity rch i2011 activit grup crtd thir ir hr miry dmyhm t yr wd thy t mr dt th ythr grup Thir trc t th tg rvd tchg th dcp mwht with rgrd t thmtivti hid rch Whi gd d-hidgrd d vric wr ti th prim mvr, idgicdit d chdrud tk mr prmit rcr th cd a might xpct with uch ri ixtr ttckr, th prprti iidr icidtdcid yt gi thi yr t cmprtivy ct 4%

4% impictd itr mpy (-13%)


18/92

4

Where shoulD mItIgatIon eortsBe ocuseD?

oc gi, thi tudy rmid u tht ur pri h

th cry t t gt th j d Th chg rth gd guy i i ctig th right t r th j thd d th t ttig thm gt du d ruty vr timevidc hw wh tht hpp, th d guy r quickt tk dvtg it

a yu , w ctrt dig r mr d rgrrgizti thrughut thi rprt Yu wi gt rhw vry dirt (d i m c hw vry imir) thirprm td t bcu thi, it mk tht thuti t th prm r dirt w Thu, mt th rcmmdti giv t th d thi rprt rtt rgr rgizti It t tht wr igrig th mrguyit jut tht whi mdr cyrcrim i pgu upthir hu, th tidt i iry imp d mt uivr

lrgr rgizti xhiit mr divr t iu thtmut ddrd thrugh quy divr t crrctiv cti W hp th dig i thi rprt hp tpriritiz th rt, ut truy tirig trtmttrtgy t yur d rquir irmd d itrpctivmt yur uiqu thrt dcp

s iiImpmt rw r aCl rmt cc rvic

Chg dut crdti Pos ytm dthr Itrt-cig dvic

I third prty vdr i hdig th tw itmv, mk ur thyv ctuy d thm

l ii

eimit ucry dt; kp t wht t

eur ti ctr r mt; rgury chcktht thy rmi

Mitr d mi vt g

evut yur thrt dcp t priritiz yurtrtmt trtgy

Rr t th ccui thi rprt r idictrd mitigtr r th mt cmm thrt

g qi b DBIr?Drp u i t dbi@i., d u bk,r pt t twi with th hhtg #dbi
mailto:dbir%40verizon.com?subject=http://www.facebook.com/verizonbusinesshttps://twitter.com/#!/verizonbusinesshttps://twitter.com/#!/verizonbusinesshttp://www.facebook.com/verizonbusinessmailto:dbir%40verizon.com?subject=


19/92

5

methoDologybd th dck w rciv ut thi rprt, th thig rdr vu mt i th v rigr d

hty w mpy wh cctig, yzig, d prtig dt Tht imprtt t u, d w pprcit yurpprciti Puttig thi rprt tgthr i, quit rky, wk i th prk (855 icidt t xmi it xcty

ight d) I dy kw r crd, w might tmptd t hv m

tim d rt y cuttig m crr, ut th ct tht yu d kw d d

cr hp kp u ht ad tht wht thi cti i ut

vi D ci md

Th udryig mthdgy ud y Vriz rmi rtivy uchgd

rm prviu yr a rut r d rt-hd vidc cctd

durig pid xtr ric ivtigti cductd y Vriz rm 2004

t 2011 Th 2011 cd i th primry ytic cu th rprt, ut

th tir rg dt i rrcd xtivy thrughut Thugh thRIsK tm wrk vrity ggmt (vr 250 t yr), y th

ivvig crmd dt cmprmi r rprtd i thi rprt Thr

wr 90 th i 2011 tht wr cmptd withi th timrm thi

rprt T hp ur ri d citt iput, w u th Vriz etrpri Rik d Icidt shrig

(VeRIs) rmwrk t rcrd c dt d thr rvt dti (ur xpti thi t w) VeRIs dt

pit r cctd y yt thrughut th ivtigti icyc d cmptd tr th c c Iput

i th rviwd d vidtd y thr mmr th RIsK tm Durig th ggrgti prc, irmti

rgrdig th idtity rch victim i rmvd rm th rpitry c dt

D ci md ib

Th Usss, nHTCU, aP, IRIssCeRT, d PCU dird i prciy hw thy cctd dt ctriutd r thirprt, ut thy hrd th m ic pprch a vrgd VeRIs th cmm dmitr ut ud vryig

mchim r dt try r itc, gt th Usss ud VeRIs-d itr ppicti t rcrd

prtit c dti r th aP, w itrviwd d gt ch c, rcrdd th rquird dt pit,

d rqutd w-up irmti cry Th prticur mchim dt ccti i imprtt

th udrtdig tht dt i d r icidt d, mt imprtty, r ct ut th icidt

Th rgizti ud ivtigtiv t, rprt prvidd y th victim r thr ric rm, d thir w

xpric gid i hdig th c Th cctd dt w purgd y irmti tht might idtiy

rgizti r idividu ivvd d th prvidd t Vriz RIsK Tm r ggrgti d yi

rm th umru ivtigti wrkd y th rgizti i 2011, i igmt with th cu th DbIR,

th cp w rrwd t y th ivvig crmd rgizti dt rch1 Th cp w urthr

rrwd t icud y c r which Vriz did t cduct th ric ivtigti 2 a i , th

gci ctriutd cmid 765 rch r thi rprt sm my ri yrw t th ct tht Vriz

cd rprt rtivy m prprti th vr dtt dicud i thi rprt, ut w cudt

hppir with thi utcm W rmy iv tht mr irmti crt mr cmpt d ccurt

udrtdig th prm w cctivy c I tht m ur dt tk ckt i Vriz-uthrd

puicti, it; w trd hr vic r hrd dt y dy th wk

1 Organizational data breach refers to incidents involving the compromise (unauthorized access, theft, disclosure, etc.) of non-public information while it was stored, processed, used, or transmitted

by an organization.2 We often work, in one manner or another, with these agencies during an investigatio n. To eliminate redundancy, Verizon-contrib uted data were used when both Verizon and another agency worked the

same case.

Th udryig

mthdgy ud

y Vriz rmi

rtivy uchgd

rm prviu yr a

rut r d rt-

hd vidc cctddurig pid xtr

ric ivtigti


20/92

6

Whi wr tht tpic, i yur rgizti ivtigt r hd dt rch d might itrtd i

ctriutig t utur DbIR, t u kw Th DbIR miy ctiu t grw, d w wcm w mmr

A brie primer on VeriS

VeRIs i rmwrk digd t prvid cmm gug r dcriig curity icidt i tructurd d

rpt mr It tk th rrtiv wh did wht t wht (r whm) with wht rut d trt it it

th kid dt yu prtd i thi rprt bcu my rdr kd ut th mthdgy hid th

DbIR d cu w hp t ciitt mr irmti hrig curity icidt, w hv rd VeRIs r

r puic u a ri vrviw VeRIs i vi ur wbi3 d th cmpt rmwrk c tid

rm th verIs i wiki4 bth r gd cmpi rrc t thi rprt r udrtdig

trmigy d ctxt

cii Iid ui verIs

Th Icidt Cicti cti th VeRIs rmwrk trt th icidt rrtiv wh did wht t

wht (r whm) with wht rut it rm mr uit r trdig d yi T ccmpih thi, VeRIsmpy th a4 Thrt Md dvpd y Vriz RIsK tm I th a4 md, curity icidt i viwd

ri vt tht dvry ct th irmti t rgizti evry vt i cmprid th

wig mt (th ur a):

a: Wh cti ctd th t

ai: Wht cti ctd th t

a: Which t wr ctd

aib: Hw th t w ctd

It i ur piti tht th ur a rprt th miimum irmti cry t dquty dcri y icidt

r thrt cri urthrmr, thi tructur prvid ptim rmwrk withi which t mur rqucy,

cit ctr, ik impct, d my thr ccpt rquird r rik mgmtI w ccut th cmiti th a4 md hight-v mt, (thr agt, v acti, v

at, d thr attriut), 3155 ditict thrt vt mrg Th grid i igur 1 grphicy rprt th

d digt Thrt evt numr (hrtr rrcd y Te#)

t ch Te1, r itc, cicid with extr Mwr tht ct

th Cdtiity srvr nt tht t 315 a4 cmiti

r i r itc, mwr d t, ir w kw, ict

ppthugh it d mk r itriguig ci- pt

ti Iid ni i mi

a ttd v, icidt t ivv mutip thrt vt

Idtiyig which r i py, d uig thm t rctruct th chi vt i hw w md icidt tgrt th ttitic i thi rprt by wy xmp, w dcri w impid hypthtic icidt

whr pr phihig ttck i ud t xtrt itiv dt d itctu prprty (IP) rm rgizti

Th fwchrt rprtig th icidt icud ur primry thrt vt d cditi vt6 a ri

dcripti ch vt i giv g with th crrpdig Te# d a4 ctgri rm th mtrix xhiitd rir

3 ://www.ibi.//wi/w_i-iid-i-i-wk__.d

4 ://iwk.wiki../

5 Some will remember that this grid showed 630 intersections as presented in the 2011 DBIR. The differenc e is a result of the number of security attributes depicted . While we still recognize the sixattributes of the Parkerian Hexad, we (with input from others) have decided to use and present them in paired format (e.g., confidentiality and possession losses). Thus, the notions of

confidentiality versus possession are preserved, but data analysis and visualization is simplified (a common request from VERIS users). More discussion around this change can be found on the

Attributes section of the VERIS wiki.6 See the Error section under Threat Actions for an explanation of conditional events.

It i ur piti tht th ur

a rprt th miimum

irmti cry t

dquty dcri y

icidt r thrt cri
http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/https://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdfhttps://verisframework.wiki.zoho.com/http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdf


21/92

7

oc th ctructi th mi vt chi i cmpt, dditi cicti c dd mr pcicity

rud th mt cmpriig ch vt (i, th prticur typ extr gt r xct sci tctic ud,

tc) Th icidt i w VeRIs-izd d uu mtric r vi r rprtig d urthr yi

o t r w ccud thi u-cti Th prc dcrid v h vu yd jut dcriig

th icidt it; it hp idtiy wht might hv d (r t d) t prvt it Th g i

trightrwrd: rk th chi vt d yu tp th icidt rm prcdig r itc, curity

wr triig d -mi trig cud hp kp e1 rm ccurrig I t, ti-viru d t-privig

impmtti th ptp might prvt e2 stppig prgri tw e2 d e3 my ccmpihd

thrugh gr trig r tfw yi t dtct d prvt ckdr cc Triig d chg ctr

prcdur cud hp vid th dmiitrtr micgurti dcrid i th cditi vt d prcud

th cmprmi itctu prprty i e4 Th r jut w xmp ptti ctr r ch vt,

ut th iity t viuiz yrd pprch t dtrrig, prvtig, d dtctig th icidt hud pprt

mw hki si mi pi e ei

ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt ext It Prt

sv

Cdtiity& Pi

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

Itgrity &authticity

22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

aviiity& Utiity

43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

ntwk

Cdtiity& Pi

64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84

Itgrity &authticity

85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105

aviiity& Utiity

106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126

u

DvicCdtiity

& Pi127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147

Itgrity &

authticity148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168

aviiity& Utiity

169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189

ofiDataCdtiity

& Pi190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210

Itgrity &authticity

211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231

aviiity& Utiity

232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252

p

Cdtiity& Pi

253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273

Itgrity &authticity

274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294

aviiity& Utiity

295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315

i 1. verIs a4 gid dii 315 i-

Th prc dcrid v h vu yd jut dcriig th

icidt it; it hp idtiy wht might hv d (r

t d) t prvt it Th g i trightrwrd: rk th chi

vt d yu tp th icidt rm prcdig


22/92

8

a Wd s Bi

aw u t ritrt: w mk cim tht th dig thi rprt r rprttiv dt rch i

rgizti t tim ev thugh th mrgd dtt (prumy) mr cy rfct rity th thy

might i iti, it i ti mp athugh w iv my th dig prtd i thi rprt t

pprprit r grizti (d ur cdc i thi grw w gthr mr dt d cmpr it t tht

thr), i udutdy xit Urtuty, w ct mur xcty hw much i xit (i, i rdr t

giv prci mrgi rrr) W hv wy kwig wht prprti dt rch r rprtd

cu w hv wy kwig th tt umr dt rch cr rgizti i 2011 My

rch g urprtd (thugh ur mp d cti my th) My mr r yt ukw y th

victim (d thry ukw t u) Wht w d kw i tht ur kwdg grw g with wht w r t

tudy d tht grw mr th vr i 2011 at th d th dy, w rrchr c d i p ur dig

t yu t vut d u yu t

extr gt d phihig -mi thtuccuy ur

xcutiv t pth ttchmt

Mwr ict thxc ptp, crtig

ckdr

extr gt ccth xc ptp vi

th ckdr, viwig-mi d thritiv dt

sytm dmiitrtrmicgur ccctr wh uidig

w rvr

extr gt cc mppd rvr

rm th xc ptpd t itctu

prprty

te#280extr

sciPpItgrity

te#148extr

MwrUr DvicItgrity

te#130extr

HckigUr DvicCdtiity

te# 38Itr

errrsrvrItgrity

te#4extr

HckigsrvrCdtiity

i 2. s verIs iid i

e1 e2 e3 e4ce1

g qi b DBIr?Drp u i t dbi@i., d u bk,r pt t twi with th hhtg #dbi
mailto:dbir%40verizon.com?subject=http://www.facebook.com/verizonbusinesshttps://twitter.com/#!/verizonbusinesshttps://twitter.com/#!/verizonbusinesshttp://www.facebook.com/verizonbusinessmailto:dbir%40verizon.com?subject=


23/92

9

results anD analysIsTh 2011 cmid dtt rprt th rgt w hv vr

cvrd i y ig yr, pig 855 icidt d vr 174 miicmprmid rcrd (th cd-hight tt, i yur kpig

trck) Th xt w prgrph hud hp mk m it

I vr pc thrughut th txt, w prt d dicu th

tir rg dt rm 2004 t 2011 a yu tudy th dig,

kp i mid tht th mp dtt i ythig ut ttic Th

umr, tur, d urc c chg drmticy vr tim

Giv thi, yu might urprid t hw t my th trd

ppr ( ct tht w thik trgth thir vidity) o th thr

hd, crti trd r mt crtiy mr rtd t turmi i th

mp th igict chg i th xtr thrt virmt a

i prviu rprt, th ch pprch i t prt th cmid

dtt itct d highight itrtig dirc (r imiriti)

withi th txt whr pprprit Thr r, hwvr, crti dt

pit tht wr y cctd r Vriz c; th r idtid

i th txt d gur

Th gur i thi rprt utiiz citt rmt Valus sw

a a a as whi valus a aa

s. Th rch i th icidt udr ivtigti i c d

rcrd rr t th mut dt uit (, crd umr, tc)

cmprmid i th rch I m gur, w d t prvid

pcic umr rcrd, ut u rd # t dt high prprti dt I th vu rprt utti chg

rm prir yr, thi i mrkd with rg + r ym

(dtig icr r dcr) My gur d t i thi rprt dd up t vr 100%; thi i t rrr

It impy tm rm th ct tht itm prtd i it r t wy mutuy xcuiv, d, thu, vr c

ppy t y giv icidt

bcu th umr rch i thi rprt i high, th u prctg i it dcivig i m pc

(5 prct my t m ik much, ut it rprt vr 40 icidt) Whr pprprit, w hw th rw umr

rch itd r i dditi t th prctg a hdy prct-t-umr cvri t i hw i T 1

nt gur d t cti pi pti ut y th hvig vu grtr th zr (d m truct

mr th tht) T pti r y prticur gur, rr t th VeRIs rmwrk

sm ctructiv criticim w rcivd ut th 2011 rprt uggtd th dtt w ri with m

rch victim tht it didt ppy trgy t rgr rgizti it hd i yr pt (Th rvc yu

iv th pp?)

Wr kiddig, cur; thi critiqu i th udrtd d hpu o th prm with kig t rg

mut dt r divr rg rgizti i tht vrg cr th wh r jut average. bcu th

umr pk or rgizti, thy dt ry pk to y prticur rgizti r dmgrphic Thi i

uvid Wv md th cciu dcii t tudy typ dt rch thy ct typ

rgizti, d i m ui r drppig ik fi, wr t gig t xcud thm cu thy it ur dt

Wht w c d, hwvr, i t prt th rut i uch wy tht thy r mr rdiy ppic t crti grup

855 Breaches

% #1% 9

5% 43

10% 86

25% 214

33% 282

50% 428

tb 1. K i b 2012 DBIr d

Valus sw a a a

as whi valus a aa s. Th rch i th

icidt udr ivtigti i c

d rcrd rr t th mut

dt uit (, crd umr, tc)

cmprmid i th rch I m

gur, w d t prvid pcic

umr rcrd, ut u rd #

t dt high prprti dt

I th vu

rprt utti chg rm

prir yr, thi i mrkd with

rg + r ym (dtig

icr r dcr)


24/92

10

W cud pit th dtt myrid wy, ut wv ch (prtiy du t th iiti criticim mtid v)

t highight dirc (d imiriti) tw mr d rgr rgizti (th ttr hvig t t 1000

mpy) W hp thi vit th ccr d mk th dig i thi rprt th gry irmtiv

d prticury uu

ohd thugh w dt xcty cd chdrud, w d hp yu d it jy

Di

evry yr w gi with th dmgrphic rm th prviu yr rch victim cu it t th ctxt r th rt

th irmti prtd i th rprt etihig hw th rch rk dw cr idutri, cmpy iz,d ggrphic cti hud hp yu put m prpctiv rud th juicy it prtd i th wig cti

Thi yr w trd hw w cct m th dmgrphic dt W dcidd t tp uig ur w it

idutri d dpt th nrth amric Idutry Cicti sytm (which i cr-rrcd t thr

cmm cicti) a rut, m th trdig d cmpri rm th idutry rkdw i

prviu yr m citcy, ut r th mt prt th cicti mp cy ugh tht

cmpri r t withut vu

a igur 3 hw, th tp thr pt crry vr rm ur t rprt Th mt-fictd idutry, c gi, i

accmmdti d d srvic, citig rturt

(rud 95%) d ht (ut 5%) Th ici d Iurc

idutry drppd rm 22% i 2010 t pprximty 10% t yrWhi w drivd rg pui (d t--pui)

xpti r th widig gp tw ici d d

srvic, w wi rrv mt th r mr ppic cti

i th rprt suc it t y tht it ppr th cyrcrim

idutriizti trd tht hviy ifucd dig i ur t

rprt (d h chd y thr rprt i th idutry7), i ti

i u wig

Wh kig t th rkdw rcrd t pr idutry i igur

4, hwvr, w d vry dirt rut Th chrt i vrwhmd

y tw idutri tht ry mk hwig i

igur 3 d hv t prviuy ctriutd t rg hr dtIrmti d Mucturig W tuch mr thi

thrughut th rprt, ut thi urpriig hit i miy th rut

w vry rg rch tht hit rgizti i th idutri i

2011 W upct th ttck ctig th rgizti wr

dirctd git thir rd d r thir dt rthr th twrd

thir idutry

7 For instance, see Trustwaves 2012 Global Security Report discussing growing attacks against franchises.

W cud pit th dtt myrid wy, ut wv ch

(prtiy du t th iiti criticim mtid v) t highight

dirc (d imiriti) tw mr d rgr

rgizti (th ttr hvig t t 1000 mpy)

Th nrth amric Idutry

Cicti sytm (naICs) i th

tdrd ud y dr ttitic

gci i ciyig ui

tihmt r th purp

cctig, yzig, d puihig

ttitic dt rtd t th Us

ui cmy

naICs w dvpd udr th upic

th oc Mgmt d budgt

(oMb), d dptd i 1997 t rpc th

stdrd Idutri Cicti (sIC)

ytm It w dvpd jity y th Us

ecmic Cicti Picy Cmmitt

(eCPC), sttitic Cd , d MxicItitut nci d etditic y

Ggr , t w r high v

cmpriity i ui ttitic mg

th nrth amric cutri

surc:

://www..//www/i/
http://www.census.gov/eos/www/naics/http://www.census.gov/eos/www/naics/


25/92

11

Rdrwig igur 5 with th utir rmvd rv wht i prhp mr rprttiv r typic ccut

cmprmid rcrd cr idutri igur 4 i it mr i i with hitric dt d r m

rmc t igur 3 v

oc gi, rgizti iz ricudd mg th 855 icidt i ur

dtt smr rgizti rprt th

mjrity th victim, thy did i th t

DbIR lik m th idutry pttr, thi

rt t th rd idutriizd ttck

mtid v; thy c crrid ut

git rg umr i urpriigy hrt

timrm with itt t ritc (rm

th victim, tht i; w rcmt i wtchig

d ritig s th Dicvry Mthd

cti w appdix b) smrui r th id trgt r uch rid,

d my-driv, rik-vr cyrcrimi

udrtd thi vry w Thu, th umr

victim i thi ctgry ctiu t w

Th rthr rg umr rch tid t

rgizti ukw iz rquir

quick cricti Whi w k DbIR

ctriutr r dmgrphic dt, mtim thi irmti i t kw r t ryd t u Thr r vid

ituti whr c kw dti ut ttck mthd d thr

chrctritic, ut itt ut victim dmgrphic Thi it id, ut

it hpp Rthr th ruhig th id u dt, wr uig

wht c vidtd d impy ig wht ct ukw (s

T 2)

a mtid i th Mthdgy cti, w wi rkig ut dig

whr pprprit r rgr rgizti B w i

i wi 1000 . Rmmr tht yu

rd thi rprt s tht yu hv ttr id th mkup thi

ut, igur 6 hw th idutri th 60 rgizti mtig

thi critri

i 4. cidd b id

a othr

Mucturig

Irmti52%+

45%+

3%

i 5: cid db id wi b>1m d d

othr

Rti Trd

Irmti

admiitrtiv dsupprt srvic

accmmdtid d srvic

ic dIurc

40%

28%

10%

9%

7%

6%

i 3. Id d b b

6%othr

Rti Trd 20%

ic d Iurc 10%

accmmdti d d srvic 54%

Hth Cr d sci aitc 7%+

Irmti 3%

tb 2. oii i b b b (b )

1 t 10 42

11 t 100 570

101 t 1,000 48

1,001 t 10,000 27

10,001 t 100,000 23

ovr 100,000 10

Ukw 135


26/92

12

a uu, it hrd t pu mig rm whr victim thir prti, ic mt rch d t rquir th

ttckr t phyicy prt i rdr t cim thir priz W t high mrk i 2010 with 22 cutri

rprtd, ut mhd tht rcrd i 2011 with whppig 36 cutri htig rgizti tht victim

t dt cmprmi Thi i r whr th ctriuti ur g w rcmt prtr ry

highight th ct tht dt rch r t itd rgi prm

i 6. Id d b b larger orgs

5%

othr

Irmti 22%

Rti Trd 12%

ic d Iurc 28%

Mucturig 8%

Puic admiitrti 7%

18%

Trprtti d Wrhuig

i 7. ci d i bid d

autri

autribhmbgiumbrzibugriCdDmrk

rc

GrmyGhGrcIdiIrdIrJp

Jrd

KuwitlluxmurgMxicnthrdnw ZdPhiippi

Pd

RmiRui drtisuth aricspiTiwThidTurky

Uitd ar emirt

UkriUitd KigdmUitd stt

ci i wi b w fd

W t high mrk i 2010 with 22 cutri rprtd, ut

mhd tht rcrd i 2011 with whppig 36 cutri htig

rgizti tht victim t dt cmprmi


27/92

13

2011 DBIr: t e oiw

I t yr DbIR, w prtd th VeRIs thrt vt grid pputd with rqucy cut r th rt tim

othr th w dt hrig prtr, it w th mt w rcivd tur th rprt Th ttitic

thrughut thi rprt prvid prt yi th agt, acti, at, d attriut rvd, ut th

grid prtd hr ti it tgthr t hw itrcti tw th ur a It giv ig ig-pictur viw

th thrt vt citd with dt rch i 2011 igur 8 (vr dtt) d igur 9 (rgr rg) u

th tructur igur 1 rm th Mthdgy cti, ut rpc Te# with th tt umr rch i

which ch thrt vt w prt th icidt cri8 Thi i ur mt cidtd viw th 855 dt

rch yzd thi yr, d thr r vr thig wrth tig

Wh w rv th vr dtt rm thrt mgmt prpctiv, y 40 th 315 pi thrt

vt hv vu grtr th zr (13%) br gig urthr, w d t rtt tht t itrcti i

th grid r i Rdr hud rmmr tht thi rprt cu y dt rch Durig

ggmt whr w hv wrkd with rgizti t VeRIs-iz thir curity icidt vr th cur

yr, it quit itrtig t hw dirt th grid k wh cmprd t DbIR dtt a might

thriz, errr d Miu w aviiity prv much mr cmm

8 In other words, 381 of the 855 breaches in 2011 involved external malware that affected the confidentiality of a server (the top left threat event).



sv

Cdtiity& Pi

381 518 1 9 8 1 2 1

Itgrity &authticity

397 422 1 6 1 1

aviiity& Utiity

2 6 5

ntwk

Cdtiity& Pi

1

Itgrity &authticity

1 1

aviiity& Utiity

1 1 1

uDvicCdtiity

& Pi356 419 1 86

Itgrity &authticity

355 355 1 1 86

aviiity& Utiity

1 3

ofiDataCdtiity

& Pi23 1

Itgrity &authticity

aviiity& Utiity

p

Cdtiity& Pi

30 1

Itgrity &authticity

59 2

aviiity& Utiity

i 8. verIs a4 gid dii q i-


28/92

14



sv

Cdtiity& Pi

7 33 3 2 1

Itgrity &authticity

10 18 1

aviiity& Utiity

1

ntwk

Cdtiity& Pi

Itgrity &authticity

aviiity& Utiity

1 1

u

DvicCdtiity

& Pi3 6 10

Itgrity &

authticity4 2 10

aviiity& Utiity

1

ofiDataCdtiity

& Pi1 1

Itgrity &authticity

aviiity& Utiity

p

Cdtiity& Pi

7

Itgrity &authticity

11

aviiity& Utiity

i 9. verIs a4 gid dii q i- larger orgs

USing VeriS or eVidence-bASed riSk mAnAgement

Thi my ud ik dvrtimt, ut it tyu

c d thi uig VeRIs (which i r!) Imgi, rik

mgr, hvig cc t curity icidt withi

yur rgizti cid uig VeRIs (i yu ry

wt t t yur imgiti ru wid, thik ut

hvig imir dt rm thr rgizti ik yur

w) ovr tim, hitric dtt i crtd, givig

yu dtid irmti wht hppd, hw t

it hppd, d wht ht hppd withi yur

rgizti Ukw d ucrtiti gi trcd Yu giv it t yur dt viuizti guy wh

crk ut grid r yur vriu ui grup

imir t igur 9 Htpt th grid cu yur

ttti critic prm r d hp t prpry

dig udryig imt rm thr, trtmt

trtgi t dtr, prvt, dtct, r hp rcvr rm

rcurrig (r dmgig) thrt vt c idtid

d priritizd but yu dt tp thr; yu ctuy

mur th ctiv yur prcripti t

trck whthr icidt d dcr tr th

trtmt r dmiitrd Thu, yu chiv tt

whr ttr murmt ttr mgmt

Cgu trt rrrig t yu th Rik Dctr

d uddy yur pii mttr i curity pdig

dicui Thi cud yu

oviuy, thi i mt t tgu i chk, ut w

truy d iv i th mrit pprch ik thi Wik t rr t thi pprch evidc-bd Rik

Mgmt (ebRM), rrwig rm th ccpt

vidc-d mdici etiy, ebRM im t

ppy th t vi vidc gid rm mpiric

rrch t mur d mg irmti rik

scurity icidt, whthr rg r m, r hug

prt tht t vi vidc Thi i why w

rt tht mticuuy yzig thm i highy

ci prctic


29/92

15

nw ck t th grid, whr th rut r th vr dtt hr my imiriti with ur t rprt Th

iggt chg r tht htpt i th Miu d Phyic r r itt cr, whi Mwr d Hckig

git srvr d Ur Dvic r urig rightr th vr simiry, th it tp thrt vt i T 3

riy miir

sprtig th thrt vt r rgr

rgizti i igur 9 yid w

dditi tkig pit sm might

urprid tht thi vri th grid i cvrd th igur 8 (22 th 315

vt7%wr t t c) o

wud xpct tht th iggr ttck urc

d trgr ctr citd with rgr

rgizti wud prd ttck vr

grtr prti th grid Thi my tru,

d ur rut hudt ud t ctrdict

tht pit W iv th wr dity

igur 9 cmprd t igur 8 i mty

rut iz dirc i th dtt (855

vru 60 rch) With rpct t thrtdivrity, it itrtig tht th grid r

rgr rgizti hw cmprtivy

mr v ditriuti cr i-cp thrt

vt (i, xtrm cumpig rud

Mwr d Hckig) Rtd t thi, sci

d Phyic vt mk th tp 10 it i

T 4 bd dcripti i th pr

prmit ttck vrgig rm ci

girig, thi it hckr

ntury, w xpud thi

thrughut th wig cti

t ete #

c

1 extrHckigsrvrCdtiity 4 33

2 extrHckigsrvrItgrity 28 18

3 extrsciPpItgrity 280 11

4 extrMwrsrvrItgrity 22 10

5 extrPhyicUrDvicCdtiity 139 10

6 extrPhyicUrDvicItgrity 160 107 extrMwrsrvrCdtiity 1 7

8 extrsciPpCdtiity 259 7

9 extrHckigUrDvicCdtiity 130 6

10 extrMwrUrDvicItgrity 148 4

tb 4. t 10 verIs larger orgs

t et

e #c

1 extrHckigsrvrCdtiity 4 518

2 extrHckigsrvrItgrity 28 422

3 extrHckigUrDvicCdtiity 130 419

4 extrMwrsrvrItgrity 22 397

5 extrMwrsrvrCdtiity 1 381

6 extrMwrUrDvicCdtiity 127 356

7 extrMwrUrDvicItgrity 148 355

8 extrHckigUrDvicItgrity 151 355

9 extrPhyicUrDvicCdtiity 139 86

10 extrPhyicUrDvicItgrity 160 86

tb 3. t 10 verIs

Th rut r th vr dtt hr my imiriti with ur t

rprt Th iggt chg r tht htpt i th Miu d Phyic

r r itt cr, whi Mwr d Hckig git srvr d

Ur Dvic r urig rightr th vr


30/92

16

t a

etiti tht cu r ctriut t icidt r kw thrt

gt Thr c, cur, mr th gt ivvd i y

prticur icidt acti prrmd y thm c miciu r -

miciu, itti r uitti, cu r ctriutry, d tm

rm vrity mtiv ( which wi dicud i uqut

gt-pcic cti) Idticti th gt citd with

icidt i critic t tkig pcic crrctiv cti w irmig

dcii rgrdig utur div trtgi VeRIs pci thr

primry ctgri thrt gtextr, Itr, d Prtr

e: extr thrt rigit rm urc utid th

rgizti d it twrk prtr exmp icud rmr

mpy, hckr, rgizd crimi grup, d

gvrmt titi extr gt icud virmtvt uch fd, rthquk, d pwr dirupti

Typicy, trut r privig i impid r xtr titi

I: Itr thrt r th rigitig rm withi th rgizti Thi cmp cmpy

xcutiv, mpy, idpdt ctrctr, itr, tc, w itr irtructur Iidr r

trutd d privigd (m mr th thr)

p: Prtr icud y third prty hrig ui rtihip with th rgizti Thi

icud uppir, vdr, htig prvidr, uturcd IT upprt, tc sm v trut d privig

i uuy impid tw ui prtr

igur 10 dipy th ditriuti thrt gt y prctg rch i thi yr dtt, g with

prviu yr thi tudy It imprtt t kp i mid tht wr t kig t citt mp Th rt

w yr wr d y Vriz c, th th Usss (2007-2011), nHTCU (2006-2011), aP (2011),

IRIssCeRT (2011), d PCU (2011) jid t vriu pit i th yr tht wd Thu, trd r th

cmiti chg i th thrt virmt d chg withi th mp dtt

70%

78%

39%

6%

72%

48%

6%

86%

98%

12% 2% 4%


31/92

17

2011 ctiud th hit twrd xtr gt ivvmt i high prctg dt rch Thugh w

hv wy xtr mjrity, vr r h y yr -idd 2009 w th ct t

xcpti t tht ru, ut th ri i itr gt w mty th y-prduct icrprtig th iidr-hvy

Usss cd ( th 2010 DBIr9 r mr dti) sic th, it primriy utidr i th cd

wv xmid

aprt rm yry mp vriti, thr r vr ctr ctriutig t

th ctig prctg xtr gt v iidr d prtr i thi

rprt Th primry ctr, which w ddrd t gth i th2011 DBIr10, i

th ctiud ct idutriizd ttck th rti orgizd

crimi grup trgtig pymt crd irmti rm Itrt-cig Pos

ytm r phyicy-xpd aTM d g pump c uch tig git

hudrd victim durig th m prti rm prctg tdpit,

th rutig ct tht th cmmditizd yt highy-c ttck hv

thrt gt trd mk prct Iidr, y diti, hv mr umr ptti trgt

athr ctriutr t th ctiud ri xtr gt i 2011 w th

rivigrtd cduct ctivit grup Cmmy kw hcktivim,

th ttck r ihrty xtr i tur Thy r t ry rqut ( might v y ctt)

mii cyrcrim, ut wi w, thy c quit dmgig

W wud rmi i w did t pit ut tht i 2011, thr wr vr ivtigti ivvig itr gt

tht did t mt th diti dt rch Wh iidr miu cc r irmti prvidd r thir j

duti, ut did t dic irmti t uuthrizd prty, th cdtiity h ccurrd11

such icidt r t icudd i thi rprt

athr itrtig rvti ut 2011 i th much wr prctg muti-gt rch bck i 2009,vr -qurtr icidt w th wrk mr th ctgry thrt gt such icidt mtim

ivv vrt cui, ut mr t utidr icit iidr t prticipt i m pct th crim I 2011,

tht gur w jut 2% Th dci hr c ttriutd t th idutriizti trd dicud v

Prtr thrt gt hv rizd tdy dcr vr th t w yr, d thi dtt i xcpti 12

With th 1% rch cud y prtr, it wi hrd t g ywhr ut up i th xt rprt simir

t iidr, th drmtic icr i xtr gt hp t xpi thi dci, ut thr r thr ctr

w ntic tht th dwwrd trd g i 2008, which prcd th mjr hit twrd highy-c

ttck y utidr W hv giv vr hypth i pt rprt, icudig icrd wr, rguti,

d tchgy dvcmt Mr igict i hw w d cu d ctriutry gt Prtr tht did

t hv cu r i th icidt r t icudd i th prctg Mr dicui uch cri c

ud i th Prtr d errr cti thi rprt

It i tiry pi tht miciu iidr d/r prtr r fyig udr th rdr d thu vidig

dicvry W hv mtd i prviu rprt (d wi mt i tr cti) tht high prctg rch

r idtid y rud dtcti Hwvr, cmprmi -ci dt d t hv th mchim t

triggr wr, d r thrr mr dicut t dicvr our dt citty hw tht trutd prti r

9 ://www.ibi.///_2010-d-b-__.d

10 ://www.ibi.//2011dbi//

11 A frequent example of this is a bank employee who uses system privilege s to make an unauthorized withdrawal or transfer of funds. This is certainly a security vio lation, but it is not a data breach.12 Some may rightly remember that the percentage tied to partners was substanti ally higher in prior reports. Keep in mind that those reports showed Verizon data separately, whereas this is the

combined data from all participating organizations retrofitted to historical data. It definitely changes the results.

2011 ctiud th

hit twrd xtr

gt ivvmt i

high prctg

dt rch Thugh

w hv wy

xtr mjrity,vr r h y

yr -idd
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://www.verizonbusiness.com/go/2011dbir/us/http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf


32/92

18

cidry mr iky t t itctu prprty

d thr itiv (-ci) dt, d thr

gd chc th ctiviti wud vr dtctd

Thi i t icudd t pgiz r i r t prd

UD, ut t ri vid pit tht iidr d prtr

r pry udr-rprtd i igur 10 (thugh, i

th grd chm thig, w ti dt thik thyr

ywhr c t utidr)

I kpig with ur prmi t giv dig pcic t

rgr rgizti, w prt igur 12 Th hpig t

igicty dirt rut hr r ud r dippitmt

(Dt yu ht it wh dt gt i th wy gd thry?)

W hd icrdiy iightu d rti xpti rdy t

xpi why iidr d prtr wr mr iky t ttckrgr rgizti, ut , it g t wt

Breach Size by Threat Agents

Dt cmprmi, murd y umr rcrd t, i

t idictiv th u impct th rch, ut i uu

d mur idictr it W gr tht it wud

ptim t icud mr irmti citd with

rp, rd dmg, ui dirupti, g pti,

tc a m tp i thi dircti, w hv ddd hrt

cti t thi rprt dicuig m th cquc

Hr, w cu xcuivy th mut dt igur 13 hw th ditriuti mg thrt gt th pprximty 174 mii rcrd cmprmid

cr th mrgd 2011 dtt n, w didt rgt

t icud u r iidr d prtr; it jut

tht utidr t virtuy it Wh cmprd

t th tir dtt cmpig yr thi

tudy (igur 14), th ct it much dirt (ut

w c t t cr thr th grih-u)

Mg-rch, ivvig mii rcrd i ig

icidt, hv citty kwd dt umr

twrd xtr gt Th high-vum, w-yid

ttck mut up i thir vr vr tim

It imprtt t rcgiz th vriu typ dt

cmprmid d thir ifuc thi mtric

Pymt crd dt d pr irmti r

rquty trd d t i uk, whr

itctu prprty r cid dt tht t

ivv y ig rcrd a mtid prviuy,

iidr r mr iky t trgt th ttr

i 12. t b b

larger orgs

extr Itr Prtr Ukw

87%

5% 5%3%

i 13. cid d b , 2011

extr y Itr y Mutipgt

Prtr y

153,002 403173,874,419 55,493

i 14. cid d b , 2004-2011

extr y Itr y Mutipgt

Prtr y

978,433,619 28,925,291 43,897,579 46,476,153

i 11. t (i) b b

95%+ 2%


33/92

19

External Agents (98% o breaches, 99+% o records)

a with ur prviu DbIR, thi vri ctiu t rirc th dig tht xtr prti r rpi

r r mr dt rch th iidr d prtr Thi g-rud,

thy wr tid t 98% icidt at quick gc, much ut th

r, vriti, d mtiv xtr gt i 2011 ppr t jut

ctiuti th m try

outidr mt wy ggd i dirct, itti, d miciu

cti oy ct 2% c turd xtr gt i idirct

r, whr thy icitd r idd m t ct git th

victim orgizd crimi grup wr c gi hid th i hr

(83%) rch o my wdr why it i thy d wht thy d (w

ury d, d tht why w trtd trckig mr ut mtiv t yr), th wr i prtty trightrwrd

thy d it r th my (96%) bttm i: mt dt thiv r pri crimi dirty tryig t

t irmti thy c tur it ch lik w idm try

It t th wh try, hwvr nr i it th mt imprtt Th mt igict chg w w i 2011 w

th ri hcktivim git rgr rgizti wrdwid Th rqucy d rgurity c tid t

ctivit grup tht cm thrugh ur dr i 2011 xcdd th umr wrkd i prviu yr cmid

but thi w t rtrictd t ur cd ; th thr rgizti

prticiptig i thi rprt pt grt d rt rpdig t,

ivtigtig, d prcutig hcktivit xpit It w xtrmy

itrtig t pic th dirt prpctiv tgthr t rm g

viw ivtigti it ctivit grup d thir victim 3%

xtr ttck my t m ik much (thugh rmmr wr dig

with vr 850 icidt hr, d tic rtd mtiv r highr th

tht; pu w upct m ukw gt r ctuy ctivit), ut

thi trd i pry th iggt d ig mt imprtt chg ctr

i thi yr DbIR

ici r pr gi

Digrmt r prtt

u, curiity, r prid

Grudg r pr

96%

71%

3%

25%

2%

23%

1%

2%

a org lrgr org

i 15. mi b b wii

bttm i: mt dtthiv r pri

crimi dirty tryig

t t irmti thy

c tur it ch lik w

idm try

It t th wh try,

hwvr nr i it th mtimprtt Th mt

igict chg w w

i 2011 w th ri

hcktivim git rgr

rgizti wrdwid


34/92

20

Tht i t t y tht hcktivm i w; th trm h tdrd xic ic it w cid y th Cut th

Dd Cw hckr cctiv i th t 9013 bck th, it mty citd wit dcmt, crditd

di rvic ttck, d thr tic t xpr digrmt, ti rggig right, r jut cu Th

mjr hit tht ccurrd i 2011 w tht ctivit grup ddd dt rch t thir rprtir with much-

hightd itity d puicity I thr wrd, 2011 w mrgr tw th cic midd d w

oh by the way, were gonna steal all your data too twit

but v tht t th wh try athugh

ctivit grup ccutd r rtivy

m prprti th 2011 cd, thy

t vr 100 mii rcrd Tht mt

twic th mut pichd y th

ciy-mtivtd pri w

dicud rir s, thugh idgic

ttck wr rqut, thy ur tk hvy t

Why th diprity tw th tt rcrd

t y pri cyrcrimi vru

ctivit grup? lkig thrugh th c dt, it i pprt tht my-driv crk ctiu t cu mr

pprtuitic ttck git wkr trgt Thi my t t prty cu gd umr thir rthr

r jyig ji tim Itd mjr (d riky) hit, thy pir mr hu dt rm mutitud

mr rgizti tht prt wr rik t th ttckr Thik it wy t trmi ui prc

id y wy t pry th uupctig, th wk, d th m, d th impy rpt rg c Thi

high-vum, w-yid ui md h cm th tdrd Mo r rgizd crimi grup

a imprtt rvti r w c thi dicui i tht ry dt t y ctivit grup wr

tk rm rgr rgizti urthrmr, th prprti rch tid t hcktivim-rtd mtiv ri

t 25 prct Thi td t r, ic w-pr rd i iky t drw th ir th grup

Jut ik th curity pri with whm thy ctd, crimi r ctty ig rikth rik

pprhi o th grtt chg r w rcmt i th ght git cyrcrim i mrgig

crimi r wrd idtity with thir i idtity Urtuty, cr 10% th 2011 cd,

ivtigtr wr u t idtiy pcic vrity xtr gt Thr r vr vid r r thi

irt d rmt, my cit d t miti ucit g dt tht wud ttriuti I my c,

th dtrmiti ct md thrugh dik ric My victim (r vriu r) d t wih t

xpd th ivtigti t icud thi i iquiry c th rch h uccuy ctid smtim

th prptrtr i t r hi trck r hid thm mg ht itrmdiry ytm evry w d th,

jut w thik wv crrcty idtid th itp! Chuck Tt (just look it upits worth the break).

oii e a

a i wy th c, dtrmiig th ggrphic rigi xtr ttckr d y IP ddr c

prmtic ev i th cutry th urc IP ddr c pipitd, thi my t whr th ttckr

ctuy rid It quit iky tht it jut ht i tt r thr hp ud y th gt I m c,

vriu typ dditi dt, uch th prvidd y w rcmt d/r tfw yi, c hp t

13 http://www.wired.com/techbiz/it/news/2004/07/64193

a o l o

orgizd crimi grup 83% 35% 33% 36%

Ukw 10% 1% 31% 0%

Uitd pr() 4% 0% 10% 0%

activit grup 2% 58%+ 21% 61%

rmr mpy (no longer had access) 1% 0% 6% 0%

Rtiv r cquitc mpy 0% 0% 2% 0%

tb 5. vii b bwii e d d


35/92

21

dtrmi th ttckr tru rigi

eithr wy, xmiig th ggrphic

rigi ttck i vu r umr

r

2011 dig k imir t prviu

yr, with thrt gt hiig rm

etr eurp ccutig r tw-

third xtr rch (

igur 16) Hwvr, i xmiig y

rg rgizti, thi umr drp t

27% Thi ttitic i i with th

icrig tdcy rgizd

crimi grup (tht t hi rm

etr eurp) t trgt mr,wt-hgig-ruit victim attck

git rgr rgizti rigitd

rm cmprtivy mr divr t

rgi rud th wrd

Internal Agents (4% o breaches,


36/92

22

kim cutmr pymt crd hdhd dvic digd t

cptur mgtic trip dt Th dt i th pd up th chi

t crimi wh u mgtic trip cdr t rict

dupict crd nt urpriigy, uch icidt r mt

tiry citd with mr ui r idpdt c

rchi rg rd

o th thr hd, wh rgur crprt d ur r ivvd

(12%), thir cti r quit dirt I mt itc, th

mpy u ytm cc r thr privig i rdr t

t itiv irmti amt th cri itd

v r mtivtd y ci r pr gi

outid th vriti mtid v, w rvd mixtur

xcutiv, mgr, d uprvir (ttig 18%) lik th

rgur mpy d d ur, th idividu r xpitig ytm cc d privig r prgi r thr yr ruig, w hv dci i c d ccutig t sti, th diy rpiiiti

th k, which ivv th vright d/r dirct cc t vu t d irmti, put thm i

piti t gg i mutitud midd o ct hp ut wdr wht th dt wud hw i w wr t

trck th typ iidr thrugh th vr-chgig rgutry dcp, rm r G-stg, t

Grhm-lch-biy, d w t Ddd-rk Th d fw th umr wud hv vry itrtig

t wit

iy, it might gigt u i w didt prvid m mti ytm r twrk dmiitrtr Th

truty tchgic wrrir hp mk IT rgizti rud th wrd hum with prductivity, d thy

ttim p th prvri ky-t-th-kigdm Thugh w hv c i which thy wr

rpi r dt rch, thy hv ry rgitrd mr th ip th rdr i th t cup yr

W mtid i rir cti tht w hv yzd th icidt r ig rgizti vr th cur

yr I th dtt, dmi-rtd icidt ccur rquty, ut thy r mty th viiity d

dwtim vrity

Partner Agents (


37/92

23

a w xmp hud hp:

1 I th prtr cti r th dirct cu th icidt, thy aRe thrt gt

2 I th prtr cti crt circumtc r cditi thti/wh ctd up y thr gtwth primry chi thrt vt t prcd, th prtr i noT thrt gt W cidr thi t

cditi vt, d th prtr c viwd ctriutig gt Thir cti hd mr t d with th

victim curity r vuriity th th thrt it

3 I th prtr w, ht, r mg th victim t ivvd i icidt, it d noT criy w

tht thy r thrt gt Thy my (i thir cti d t th icidt), ut thy r t guity impy y

thi citi

exmp #2 m t tickig pit r mt pp T urthr

iutrt wht w m, t u cidr th wig cri

supp third prty rmty dmiitr cutmr dvic vr

th Itrt vi m kid rmt cc r dktp rvicurthr upp thi prtr rgt t r micgurd

curity ttig (t pick mthig dmi wud vr d, ik

gctig t chg dut crdti) Th, d hd, tht

dvic gt pppd withi 30 cd ig idtid wh

rgizd crimi grup prtig ut etr eurp gu th urm/pwrd a thi, cur,

i pury gurtiv; thi wud vr ctuy hpp i th r wrd (wik, wik) I uch circumtc, th

crimi grup wud th y thrt gt o cud cptur th prtr [idirct] ctriuti uig th

VeRIs-pcid r ctriutd t cditi vt() g with uit errr thrt cti Thi

tiy t tht th prtr crtd vuriity (th cditi vt) tht w xpitd y th xtr

thrt gt

a i , th rti md r th t tw yr rmi tru: rgizti tht uturc thir IT mgmtd upprt uturc grt d trut t thir ch prtr a prtr x curity prctic d

pr gvrct utid th victim ctr r xprtir rquty ctyt i curity icidt

nvrth, uturcig c hv my t, d th t wy t cutrct th citd rik i thrugh

third-prty pici, ctrct, ctr, d mt o cvt uturcig i tht yu c uturc

ui ucti, ut yu ct uturc th rik d rpiiity t third prty Th mut r y

th rgizti tht k th pputi t trut thy wi d th right thig with thir dt

t ai

Thrt cti dcri wht th thrt gt did t cu r t ctriut t th rch evry dt rch

cti r mr thm, cuig prctg t dd up t mr th 100% Withi VeRIs, cti r

cid it v high-v ctgri (ch which wi cvrd i dti i th wig cti)

Hckig d mwr hv trditiy d th pck, ut thi yr thyv

pud wy rm th grup v urthr whi wvig Hi Mm! t th

cmr out th 855 icidt thi yr, 81% vrgd hckig, 69%

icudd mwr, d impriv 61% rch turd

cmiti hckig tchiqu d mwr out th 602 icidt

with tw r mr vt, hckig d mwr wr ud i 86% th

ttck (mr th rtihip thrt cti c ud i

appdix a)

a prtr x curity

prctic d pr

gvrct utid

th victim ctr r

xprtir rquty

ctyt i curity icidt

Hckig d mwr hv

trditiy d th pck,

ut thi yr thyv pud

wy rm th grup v

urthr whi wvig Hi

Mm! t th cmr


38/92

24

ovr, wv th ctgri uc rud it vr th yr Miu d ci tctic tppd up thir

gm i 2009 whi phyic tchiqu md rpct pprc th yr tr tht Th rthr hrp drp

i phyic ttck thi pt yr my du t g w rcmt gci uccuy fippig th rdm

it th ivvd with kimmig icidt Thy cud hviy th crimi rig hid th kimmig

ctiviti rthr th idividu icidt thmv, d w my trtig t th ruit th rt

e

Mi

H

M

s

Ph

er

2010

49%

50%11%

17%

29%


39/92

25

Whtvr th xpti, thig i uty cr: w dit pttr mrgig vr th yr with

rpct t thrt cti cr th u dtt

I w k t iggr rgizti, hwvr, w d ighty dirt pictur igur 18 hit t viu d

imp truth wrth mtiig: rg cmpy prm r dirt th m cmpy prm Prhp it

cu trpri hv th IT t t ddr m th w-hgig ruit (r, wht i t mr prp, th

ruit rttig i th yrd) Hwvr, t gt t th cti itm r rg vru m rgizti, w

mut k t th rkdw thrt cti yd th high-v ctgri ( T 7)

rk vi c B rd

1 Kyggr/rm-grr/spywr (capture data rom user activity) mw 48% 35%

2 expitti dut r gu crdti hki 44% 1%

3 U t gi crdti hki 32% 82%

4 sd dt t xtr it/tity mw 30%


40/92

26

Cmpi, ig d m, w ir mut miciu cd digd t cptur ur iput, cmmy cd

kyggrthy wr prt i mt h rch (48%) Thi mt iky ctriutd t th u

t crdti i rughy ut thr icidt athr citt thrt cti r rg d m

cmpi w th itti (d xpitti) ckdr; th wr vrgd i ut vry v

ttck W c gt r th dirig thrt dcp ig d m cmpi y cmprig T 8,

which it tp thrt cti ud git rgr trpri

Puig irmti rm T 8 i itt prmtic ic th umr r mr (mr dtt hv rgr

wig i mpig rrr), ut w c m itrtig trd Th rt thig w tic i th icrdprc ci tctic; diprprtit 22% icidt icrprtd th withi rgr rgizti

Thi cud cu thy hv ttr primtr d (rcig ttckr t trgt hum itd ytm)

r tht mpy rgr cmpi hv mr cmpx ci w (thy r iky t kw th c-

wrkr thy hud (r hud t) trut)

athr itrtig tk-wy rm T 8 i th ck xpitti dut crdti It drppd th rdr

d w th 60 rg cmpy rch icudd tht thrt cti agi, thi cud cu rgr

rgizti hv th tt d rurc t tck m th mi tk r it cud tht rgr cmpi

iky hv mr th ig dut pwrd tw th ttckr d th crw jw Thi rirc th d

r th d guy t t gi crdti t rch rgr rgizti I th pg tht w, w dig dpr it

ch th ctgri t wht w c r ut th cti dig t dt rch i 2011

Malware (69% o breaches, 95% o records)

Mwr i y iciu tw, cript, r cd dvpd r ud r th purp cmprmiig r hrmig

irmti t withut th wr irmd ct Mwr ctrd i vr tw-third th 2011

cd d 95% t dt Up idticti mwr durig ivtigti, th Vriz RIsK tm

cduct jctiv yi t ciy d crti it cpiiti with rgrd t th cmprmi t hd Th

RIsK tm u th yi t it th victim with ctimt, rmv, d rcvry th icti Mwr

c cid i my wy, ut w utiiz tw-dimi pprch withi th VeRIs rmwrk tht

idti th icti vctr d th uctiity ud t rch dt Th tw dimi r dircty rvt

t idtiyig pprprit dtctiv d prvtiv mur r mwr

rko

rk vi c B rd

1 3 U t gi crdti hki 30% 84%

2 6 bckdr (allows remote access/control) mw 18% 51%

3 7 expitti ckdr r cmmd d ctr ch hki 17% 51%

4 9 Tmprig pi 17%


41/92

27

mw Ii v

Much it h i th pt, th mt cmm mwr

icti vctr ctiu t itti r ijcti y

rmt ttckr Thi cvr cri i which ttckr

rch ytm vi rmt cc d th dpy

mwr r ijct cd vi w ppicti vuriiti

ovr th pt w yr, th dt hw tht thi icti

vctr ctiu upwrd trd attckr utiizd thi

vctr i ighty mr th h mwr-rtd c i

2009, ut 80% i 2010, d tggrig 95% i th pt

yr It ppurity icti vctr iky tm th

rm th ttckr dir t rmi i ctr tr giig

cc t ytm, d it u i high-vum utmtd ttck git rmt cc rvic Thi i mt

vidt i th rdr ciy-mtivtd crim (uch pymt crd rch) whr mwr i t typicy

th iiti vctr itrui, ut rthr i itd y th ttckr tr giig cc Thi i t wy tru r

thr gr ttck With IP tht cri, mwr t prvid th try pit tr uccu ci

ttck uch phihig -mi I th c, gd d-i-dpth ctr, t jut tiviru twr, cud

id i kpig th ttckr ut i th rt pc

Wh cuig dt cmprmi ituti, -mi i cmm icti vctr My rgizti

mpy tiviru prduct d thr trig mchim t uccuy ck r qurti mii mwr

tri ftig rud th Itrt It i highy iky tht -mi wud much rgr vctr i th ctr

wr rvkd

Icti vi th w dcrd gi thi pt yr i prprti t thr vctr W divid w-d mwr

it tw uctgri: cd tht i ut-xcutd (k driv-y dwd) d twr tht th ur d t

xcut (cickig miciu hyprik) W riz tht w-d mwr rut i cut ictd

ytm, ut y prti th d t crmd dt tht

i 19. mw ii b b wii mw

Ijctd yrmt ttckr

(i.e., via SQLi)

Itd yrmt ttckr(ater system access)

Itd ythr mwr

e-mi viur-xcutd

ttchmt

W/Itrt(auto-executed/drive

by inection)

W/Itrt(user-executed or

downloaded)

2%

12%

1%

18%

1%

18%

1%

12%


42/92

28

r my w-d typ mwr, ur i rquird t viit crti ictd wit Thi crtiy wrk r

m cri, uch pwrd-tig Zu mwr, ut t r rg-c cmprmi pymt

ytm Mt th ictd ytm ppr impy t ji th thud tt ud r DDs d thr

typ ttck

r rgr rgizti, th ditriuti mwr

icti vctr i -idd; th dt hw highr

rquci w d -mi icti vctr d wr

rquci mwr itd dircty y ttckr our

dig thry r thi hit i tht ttckr my d it

ir t gt ur t it mwr rthr th rch

th primtr d rgr rgizti thrugh

dirct ttck Th mut ukw icti vctr i

ttriut t my dirt ctr Mt t it i du

t ck vidc ( g dt, ti-ric y th ttckr, d/r prmtur c-up) th ytm Ith c, it i kw tht mwr w prt, ut th icti vctr ct ccuivy dtrmid

mw ii

o qu imprtc t th pthwy mwr icti r th ucti xhiitd c dpyd withi

victim virmt W mty cu mwr tht dircty rt t th rch, ut w t d rt

xtru miciu r uwtd durig th cur ivtigti Thi rv dditi idicti

idquty mgd ytm d ck curity prc athugh mwr rquty utiiz vr

mthd t hrm ytm, it ti rv r mr thr ic purp i dt rch cri: r

prg cc, cptur dt, r urthr th ttck i m thr mr

Pr igur 20, th thr mt cmmy ud ucti mwr ctiu t ggig kytrk (d thr

rm ur iput), dig dt t xtr cti, d ckdr It i imprtt t t tht thuctiiti r mutuy xcuiv d it cmm r ig pic mwr t tur vr cmpt

a mtid, kyggr pprd i vr tw-third mwr-rtd c, ighty mr th th prviu

yr Th t icud cmmrciy vi twr pckg, which r ry vi th w, d r

which uy ucti pirtd vri c ud pr-t-pr (P2P) twrk d trrt it sm

th kyggr w th ttckr t uid pr-cgurd rmt itti pckg tht c dpyd

trgt ytm Thir viiity, u, d cgurti, w thir ti-ric cpiiti, uch

hidi

Rp Data Breach Investigations Report 2012 en Xg

Documents

Transcript of Rp Data Breach Investigations Report 2012 en Xg