2012 Data Breach Investigations Report

Transcription

1 2012 Data Breach Investigations Report A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-crime Unit of the London Metropolitan Police, and United States Secret Service. Brian Grayek CISSP, ITILv3 SW US Area Manager - Terremark

2 Data Breach Investigations Report (DBIR) Series An ongoing study into the world of cybercrime that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who s doing it, why they re doing it, and, of course, what might be done to prevent it. -- Available at: Updates/Commentary: Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3

3 Hold on Wha??? Why is my telco investigating breaches? Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4

4 Enterprise Solutions to Meet Business Imperatives IT Services Security Services Communications Services Networking Services Mobility Cloud-based Services Data Center Services Managed Applications Managed IT Equipment and Services Professional Services Government, Risk and Compliance Identity and Access Management Managed Security Equipment and Services ICSA Labs Professional Services RISK Team falls here Contact Center Services Unified Communications Video, Web and Audio Conferencing Traditional Voice Emergency Communications Services Equipment and Services Professional Services Internet Private WAN Private Point to Point Access Services Managed Networks Equipment and Services Professional Services Advanced Communications Applications and Content Global Communications Hardware Mobile Data Voice and Messaging Professional Services Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5

5 2012 DBIR Contributors Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6

6 Methodology: Data Collection and Analysis DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data. Enables case data to be shared anonymously to RISK Team for analysis VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. VERIS: Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7

7 An overview of our results and analysis Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8

8 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9

9 Threat Agents Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10

10 Threat Agents: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11

11 Threat Agents Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12

12 Threat Agents: External Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13

13 Threat Actions Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14

14 Threat Actions: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15

15 Top Threat Actions Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16

16 Top Threat Actions: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17

17 Compromised Assets Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18

18 Most Compromised Assets Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 19

19 Compromised Assets: IP & classified data Servers 98% Networks 0% User Devices 7% Offline Data 41% People 46% Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 20

20 Asset Ownership, Hosting, and Management Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21

21 Compromised Data Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22

22 Compromised Data Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 23

23 Attack Difficulty Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24

24 Attack Targeting Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25

25 The 3-Day Workweek Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26

26 Timespan of Events Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 27

27 Timespan of Events: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28

28 Breach Discovery Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29

29 Breach Discovery Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 30

30 PCI DSS Compliance Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31

31 An overview of Recommendations Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 32

32 Recommendations: Smaller Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33

33 Recommendations: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 34

34 Verizon Solutions: Larger Orgs Eliminate unnecessary data; keep tabs on what s left Strategy/Assessment Business Case Analysis, Roadmap and Policy Review, Data Protection Strategy, Product Evaluation Data Protection Data Discovery and Classification DDISC, Information Classification Data Loss Prevention DLP Maturity, DLP Post Leak Management Operationalization, DLP Rights Management, Health Check, DLP Mobile Device Remote Kill Management Encryption/Key Management PKI Roadmaps and Deployment, File/Folder and Full Disk, and Messaging, Application and Platform Specific (i.e. Oracle) Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 35

35 Verizon Solutions: Larger Orgs (cont d) Ensure essential controls are met; regularly check that they remain so : Managed Security Services Identity & Access Management Vulnerability Management Professional Services Business Security Assessment Information Assurance (IA) Management Action Plans Security Management Program Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 36

36 Recommendations and Solutions: Larger Orgs (cont d) Monitor and mine event logs : Managed Security Services Application log monitoring and management service Managed network and security services for remote monitoring and management of devices (e.g., firewalls, VPNs) Network and host intrusion detection/prevention systems Gateway anti-virus systems, proxy and content screening systems Identity & Access Management Log Analysis Tools Professional Services Identification of critical log sources Defining security requirements Customizing a filtering, classification policy Implementation capabilities including project and technology management, and configuration (including standardizing log formats before transport to central log server) On-site installation and staging Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 37

37 Recommendations and Solutions: Larger Orgs (cont d) Evaluate your threat landscape to prioritize your treatment strategy : Professional Services Internal and External Network Vulnerability Testing Penetration Testing Application Vulnerability Assessment Security Management Program Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 38

38 Verizon Solutions Protect Against the Top 10 Threat Actions: Hacking: Use of stolen credentials (30% of breaches) Description Refers to instances in which an attacker gains access to a protected system or device using valid but stolen credentials. Verizon Enterprise Solution - Identity & Access Management (professional and managed services) - Security Awareness Training - Security Management Program Malware: Backdoors, Command and Control (18% of breaches) Hacking: Exploitation of backdoor or command and control channel (17% of breaches) Description Tools that provide remote access to and/or control of infected systems. Backdoor and command/control programs bypass normal authentication mechanisms and other security controls enabled on a system and are designed to run covertly. Verizon Enterprise Solution - Professional Services: Security Policy Review - Professional Services: Host-build assessment - Managed Security Services: Host IDS - Internet Managed Scanning Services - Data Loss Prevention (strategy, planning, design, implementation & management) - Log Monitoring and Management - Identity and Access Management (professional and managed services) Physical: Tampering (17% of breaches) Description Unauthorized altering or interfering with the normal state or operation of an asset. Refers to physical forms of tampering rather than, for instance, altering software or system settings. Verizon Enterprise Solution - Security Awareness Training - Professional Services: Physical Security Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 39

39 Verizon Solutions Protect Against the Top 10 Threat Actions (cont d): Keylogger/Form-grabber/Spyware (13% of breaches) Description Malware that is specifically designed to collect, monitor, and log the actions of a system user. Typically used to collect usernames and passwords as part of a larger attack scenario. Also used to capture payment card information on compromised POS devices. Most run covertly to avoid alerting the user that their actions are being monitored. Verizon Enterprise Solution - Professional Services: Security Policy Review - Professional Services: Host-build assessment - Managed Security Services: Host IDS - Internet Managed Scanning Services - Identity and Access Management - Security Management Program Pretexting (Social Engineering) (12% of breaches) Description A social engineering technique in which the attacker invents a scenario to persuade, manipulate, or trick the target into performing an action or divulging information. These attacks exploit bugs in human hardware and, unfortunately, there is no patch for this. Verizon Enterprise Solution - Professional Services: Social Engineering - Security Awareness Training - Security Management Program Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 40

40 Alignment of Recommendations and Solutions Protect Against the Top 10 Threat Actions: Brute-force attack (8% of breaches) Description An automated process of iterating through possible username/password combinations until one is successful. Verizon Enterprise Solution - Identity & Access Management Services - Professional Services: Encryption and Key Management - Application Log Monitoring SQL injection (8% of breaches) Description SQL Injection is an attack technique used to exploit how web pages communicate with back-end databases. An attacker can issue commands (in the form of specially crafted SQL statements) to a database using input fields on a website. Verizon Enterprise Solution - Application Vulnerability Scanning - Secure Application Development Training - Application Security Program - Professional Services: - Secure Source Code Review - Penetration testing - Application firewall implementation, monitoring & management - Identity and Access Management - Database audit technology monitoring & management Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 41

41 Recommendations and Solutions Protect Against the Top 10 Threat Actions (cont d): Unauthorized access via default credentials (43% of breaches with single threat action) Description Refers to instances in which an attacker gains access to a system or device protected by standard preset (and therefore widely known) usernames and passwords. Verizon Enterprise Solution - Identity & Access Management (professional and managed services) - Partner Security Program - Security Management Program - Penetration Testing Phishing (and endless *ishing variations) (8% of breaches) Description A social engineering technique in which an attacker uses fraudulent electronic communication (usually ) to lure the recipient into divulging information. Most appear to come from a legitimate entity and contain authentic-looking content. The attack often incorporates a fraudulent website component as well as the lure. Verizon Enterprise Solution - Internet Managed Scanning Services - Managed Web-Content Filtering (Websense, etc.) - Professional Services: Security Policy Review - Security Management Program Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 42

42 Measuring and managing information risk To properly manage risk, we must measure it. To properly measure risk, we must understand our information assets, the threats that can harm them, the impact of such events, and the controls that offer protection. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 43

43 A threat event that is measurable (and thus manageable) identifies the following 4 A s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 44

44 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 45

45 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 46

46 Diagnose Ailments Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 47

47 Policy People Process Technology Policy People Process Technology Policy People Process Technology Treatment strategy Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 48

48 EBRM aims to apply the best available evidence gained from empirical research to measure and manage information risk. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 49

49 Data Breach Investigations Report (DBIR) series = evidence for measuring and managing risk Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 50

50 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 51

51 DBIR: VERIS: Blog: Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 52