If there’s any generalization we can make from the headlines this year, it’s that no one is immune to data breaches. Whether it’s state-sponsored actions, hacktivists, or cyber pranksters and criminals, there are plenty of people out there looking to get their hands on information that they really shouldn’t have.
Looking at Patterns and Trends
The Verizon RISK Team’s 2013 Data Breach Investigations Report took a look at over 47 000 security incidents in 2013 and found a wide range of motives for data breaches. Hacktivists and others looking to make a quick buck usually go after easy targets, such as insecure systems within the enterprise. Organized crime units might be a little more willing and able to target better-protected systems, with the possibilities of a larger payoff. There are also those who target specific individuals or organizations; these folks are skilled and persistent enough to slowly destabilize defenses until they are able to access what they’re looking for.
While all this paints a bleak picture, it’s clear that some of these breaches could have been prevented altogether. Of all the 612 data breaches mentioned in the report, Verizon’s investigators characterized 78 percent of them with initial intrusions that were “low difficulty.” This means that the vast majority of these attacks might have been prevented by adopting security controls, switching authentication schemes and adopting best practices.
Although not all breaches are the same, there are some patterns that emerge in terms of how organizations have been compromised. Understanding these patterns can assist organizations in determining how to better defend their systems.
Methods of Attack
According to the report, the most common methods of attack fell into several categories: 1) Hacking; 2) Malware; 3) Physical Attacks; 4) Social Engineering; 5) Misuse; and 6) User Error. Hacking was identified as the most common method, with 52 percent, closely followed by malware with 40 percent. Physical attacks (e.g. adding skimming hardware on ATMs) trailed with 35 percent. Social engineering presented a serious consideration, at 29 percent. Misuse, which included activities like privilege abuse and unapproved hardware came in at 13 percent, correlating strongly with insider attacks. Finally, user error rounded things off with 2 percent.
Verizon researchers commented, “Treating our adversaries as random and unpredictable is counterproductive. We may be able to reduce the majority of attacks by focusing on a handful of attack patterns.”
A quick checklist
What happens if a breach should occur, despite all the best intentions and preventative efforts? There are some tasks that definitely need to be done in the event of a data breach. On a very basic level:
- Investigate, identify and fix – The source of the breach should be identified and addressed as quickly as possible to prevent further compromise. In the process, additional security gaps may be uncovered. Whilst this is being completed, ensure that detailed documentation is being carried out. Consider the following: who discovered the breach; when the breach occurred; how much data was compromised; what type of data was compromised. This may require lengthy interviews and even weeks of investigation.
- Inform external authorities – When data has been stolen or compromised, it’s important to inform various levels of law enforcement as well as legal counsel. If the organization has a PR/crisis management team, this is when they’ll take center stage.
- Inform internal authorities – Keep the lines of communication open with internal stakeholders. This may include finance, accounting, HR, IT and the entire upper management team.
- Inform end users – Ensure that your customers/clients hear about the breach from you first. This may include putting together written communications, as well as getting the customer support team up to date on the issue so that they can best deal with the inevitable inquiries.
This article takes a look at the information uncovered in Verizon’s 2013 Data Breach Investigations Report. According to the report, the most common methods of attack fell into several categories: 1) Hacking; 2) Malware; 3) Physical Attacks; 4) Social Engineering; 5) Misuse; and 6) User Error. The article also outlines some basic responses to data breaches within an organization.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT), a privacy professional should be comfortable with topics related to this post, including:
- Combating threats and exploits (III.E.b.)