Latest Report On Data Breaches: More Outsider Attacks, Many Of Them State-Sponsored

from the also,-you-will-fall-victim-to-phishing dept

Every year, Verizon releases a fairly detailed report looking into data breaches, and the recent release on the 2013 report is quite interesting, highlighting how much state-sponsored attacks are the root cause of data breaches. Not surprisingly, there's a strong correlation between that and espionage (rather than direct financial benefit) being the main reason for the attacks. And, also not surprising: China is a major source of these attacks. However, one thing the study does make clear is that for all the people who claim that insiders are the biggest threat, that's less and less likely true, at least on a pure numbers basis. Insiders may be able to do more direct damage per breach, but it seems clear that in terms of sheer numbers of attacks, it's all about outsider attacks these days. There's actually been a pretty noticeable shift on this front over the past few years:

The report is actually fairly entertaining and quite readable. It does note that the rise in data on state-sponsored attacks might not be due to an actual increase in those attacks, but better data and better evidence collection -- but either way, it does appear that China continues to be a pretty big threat when it comes to outside attacks for espionage purposes. On the financial side, it's apparently all about Romania.

Separately, there's a fantastic chart that lays out three major types of attackers, who they target and how they generally do what they do. It's a pretty handy chart for understanding the overall layout of data breaches and how they normally occur:

I'm actually somewhat surprised that phishing isn't used more often across all types, as the report also notes that phishing is astoundingly effective:

We try to avoid rolling out scary memes like “you will be compromised,” but when it comes to phishing attacks, that’s exactly what the data tells us. Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action. Getting the user to click (on a link or attachment) is the first obstacle for all phishing campaigns. So how many e-mails would it take to get one click?

[....] It’s pretty easy to see why this is a favored attack for espionage campaigns and the answer to our question is “three.” Running a campaign with just three e-mails gives the attacker a better than 50% chance of getting at least one click. Run that campaign twice and that probability goes up to 80%, and sending 10 phishing e-mails approaches the point where most attackers would be able to slap a “guaranteed” sticker on getting a click. To add some urgency to this, about half of the clicks occur within 12 hours of the phishing e-mail being sent.

That said, the report notes that merely getting a click doesn't mean the person will put in their information, or create a true compromise, but it is somewhat astounding nonetheless.

The report also notes what a disaster it is that we still use one-factor passwords (i.e. typical passwords) for most things, rather than (at the very least) two-factor authentication, noting that this would kill off 80% of successful hacks.

Another interesting point in all of this is that the researchers note they've seen no evidence that attackers are targeting cloud-based services over in-house ones. It's not that there aren't attacks on cloud services, it's just that it doesn't seem like a clear thing that attackers focus on. Of course, a separate research report notes just how much investment is going into the enterprise cloud these days, so I'm guessing that cloud providers are going to become increasingly large targets. While they may have stronger security, breaking in will probably be so valuable to attackers that it'll be worth attacking that stronger fortress.

And, finally, if you want to be scared about how many of these attacks have probably gone on and aren't known about yet, well, the end of the report is not particularly comforting. It notes that, from the data the researchers are using, it shows that initial attacks happen pretty quickly (within a few hours, which is up from minutes a few years ago, but still relatively quick), and getting data out comes pretty soon after that. But (and here's the scary part) actually having those breaches noticed? That doesn't happen for months and more often than not happens because another outsider discovers it, rather than an insider or an internal system raising the alarm.

In about a third of those cases, the "outsider" is a totally unrelated party, but in 9% of cases, it's a customer who discovers the data breach. That can't be good for customer confidence.

There's a lot more data in the report, and it's well worth reading. However, as we've been talking so much lately about privacy and security when it comes to governments -- mainly with a focus on activities by intelligence agencies in the US and other allies -- it's worth nothing other forms of attacks as well, and the trends related to them. The growth of attacks that are really a form of espionage, rather than just organized crime, seems like a noteworthy, if not all that surprising, finding.

---

This post is sponsored by The Hartford.

Filed Under: data breaches, data security, espionage, sponsored post

Suddenly The Terms And Conditions Of Your 'Cloud' Service Provider Matter A Lot More

from the pay-attention dept

With everything going on with the NSA and other intelligence agencies relying on being able to reach out to third parties for data, we've pointed out a few times now that this may do serious harm to the tech industry. But what about from the consumer (or business buyer) perspective? It seems likely that companies (especially) should really start rethinking how they make use of certain cloud services. There are, clearly, tremendous potential benefits from cloud providers, which is why it's become so popular lately. But, there are certain downsides as well, and the whole concept of government access (or government demands, a la Lavabit) has really woken people up to some additional potential hazards they may not have paid close attention to in the past.

It also means that a lot of users of cloud services are suddenly reviewing their options a lot more carefully. We've talked about how this may be a boon for private cloud offerings, but there are still plenty of benefits to remote cloud offerings as well. But, suddenly the exact terms that are associated with those offerings, and the potential liability you might face for using those services becomes much more important. In the past, people may have grumbled about the terms of service or potential liabilities they were taking on, but the threats seemed more theoretical. That's now changed.

Over at OpenSource.com, Georg Greve has a good post that looks into questions that need to be asked before using a cloud service these days in light of the revelations about government snooping. For example, in the past, while many people might not have cared what country their service was hosted in, now it becomes critically important. He also highlights the importance of open source software and open source expertise -- both of which provide benefits on mulitple levels, including a higher likelihood of standardization and, frankly, probably a stronger interest in not just caving to government snooping.

But the biggest one is the final point: having a way out.

Know your escape plan.

Solutions that are provided to you as fully open source have an elegant escape hatch built into them by their design. Read: You can take the entire stack and host it yourself without losing productivity or data. This backup plan protects you against legislative changes, company restructuring, and much more. The other side to this is provided by open standards.

The Takeaway: Choose solutions that have the most complete open standards approach to go with open source, because if your escape plan fails for whatever reason, there is a backup. Beware of "Open Core" offers masquerading as open source, though. Gartner called them the "emperor's new clothes" for a reason.

Indeed. As I've argued a few times in the past, so many "cloud" services available today aren't fulfilling the real power of the cloud. Instead, they're little more than locked-in silos, where you're stuck with that particular vendor. The switching costs are incredibly high in those cases, which may not matter when everything's going great, but when you're suddenly worried about the privacy of all of your users (or yourself!) these things suddenly matter quite a bit. And yet, many who are jumping on the cloud bandwagon don't take the time to explore the amount of lock-in and what it means for their own flexibility and liability as well.

Part of the problem, of course, is that many users of cloud services just haven't put a premium on having such control and freedoms. Hopefully, with the growing recognition of why this is an issue, more cloud providers will recognize that not locking people in, and providing more open and flexible solutions is a powerful selling point.

---

This post is sponsored by The Hartford.

Filed Under: cloud, data security, liability, sponsored post

Visualizing The History Of Massive Data Breaches

from the hackers,-accidents-and-more dept

Though the ongoing revelations about the NSA have thrust government monitoring into the spotlight, we all know that's just one of the concerning ways that our data is at risk. For many years, we've been tracking the various massive breaches that happen at companies, government agencies and anywhere else sensitive data is stored — no small task considering how frequent such breaches seem to be. A new interactive visualization from Information Is Beautiful puts the history of massive data breaches in perspective, going back nearly 10 years and comparing the scale of different events in terms of both the amount of information stolen and the sensitivity of that information. I'd embed a screenshot of the graphic, but it's huge and the fun comes from the interactivity, so you should just check out the whole thing.

Way back when AOL carelessly handed out data on hundreds of thousands of search users, this all still felt a little bit newer — the rush to start a class-action lawsuit was, as we noted, something of an overreaction given the nature of what happened. AOL stupidly released a lot of data, but their intentions were good and the data wasn't actually particularly harmful to individual users. The visualization illustrates it nicely when you watch AOL's bubble shrink from one of the biggest (when reflecting the number of records released) to one of the smallest (when reflecting the sensitivity of the data).

Of course, the point that dominates all the others is the infamous Heartland Payment Systems breach, which impacted over 100-million users. It was, as we noted at the time, the largest data breach ever, and has yet to be supplanted in that spot. By that time, the class action response to such a breach was basically standard practice, and the company took a huge hit — though it also served as an illustration of how broken the class-action system is: Heartland had to spend $1.5-million to track down people for payouts, which amounted to... $1925. In total. Divided among 11 people. Meanwhile, the lawyers made over $600,000.

When you see it all laid out in one place, it's easy to see how the frequency of data breaches has only increased, while little has been done to decrease their scale or intensity. Recent breaches like those at Evernote and LivingSocial impacted tens of millions of people, and came close on the heels of Sony's massive 2011 breach of the PlayStation Network. Overall, it's not a pretty picture, and serves as a reminder to both companies and consumers that the fight for safe, secure data is far from over (even without considering what the government's been up to).

---

This post is sponsored by The Hartford.

Filed Under: data security, hacking, sponsored post