When Hackers Want Much More Than Money
Insider attack data breaches are down in 2011, but hacktivist
attacks, with motives beyond money, are up, reports Verizon 2012 Data
Breach Investigations Report.
Call 2011 the year that hacktivism became the leading cause of data breaches.
Notably, 58% of all data stolen in 2011 didn't go missing for
monetary-gain purposes, as has traditionally been the case. Instead, it
was obtained and leaked by hacktivist groups such as Anonymous and LulzSec.
That's according to the 2012 Data Breach Investigations Report from Verizon, released Thursday. As in previous years, both the U.S. Secret Service and the Dutch National High Tech Crime Unit contributed data to the report. For the first time, however, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit
of the London Metropolitan Police also contributed data from their
investigations. All told, the report analyzed data from 855 incidents,
involving 174 million compromised records.
[ Businesses are becoming more efficient in breach responses. See Data Breach Costs Drop. ]
Overall, the Verizon report found that 98% of attacks were caused by outsiders, although sometimes in collusion with insiders, who were involved in 4% of attacks, and business partners, who were involved in fewer than 1% of attacks.
Interestingly, about five years ago, previous Verizon data breach
studies were reporting that about an equal number of attacks could be
traced to insiders as well as outsiders. Since then, however, the number
of losses traced to cyber criminals has increased, and in 2011, hacktivism came onto the scene in force.
"We're all seeing in the media the Occupy movement, Anonymous. There's a
big mentality shift where it used to be all about the money, and now
we're seeing a big shift where it's not all about the money," said
Novak. "We're seeing a lot of these hacktivist groups that are doing it
purely for political or social reasons."
Whether or not Anonymous and its ilk hold up a mirror to the poor state of IT security,
as some industry watchers have said, such groups often face few
obstacles. Notably, 96% of the attacks detailed in the Verizon report
weren't highly difficult, and 97% could have been easily avoided without
needing to resort to difficult or expensive countermeasures.
Furthermore, 79% of breached businesses were simply targets of
opportunity.
Novak cautioned, however, that insider attacks are still a significant
problem, and quantity-wise may not have changed significantly. But with
the overall number of attacks and breached records reported to Verizon
having increased dramatically, that's skewed the percentages away from
insider attacks.
As in previous years, the Verizon report found that cybercrime attacks
are global in nature. Indeed, attacks launched in 2011 that resulted in
breaches originated in at least 36 countries, versus just 22 countries
in 2010. In 2011, the vast majority (70%) of attacks came from Eastern
Europe, while just one-quarter were launched from the United States.
Attackers often favor a one-two punch. For starters, 81% of attacks and 99% of all compromised data involved hacking. But malware was also used in 69% of all attacks, and involved in 95% of compromised records.
Interestingly, this malware is rarely encountered by accident. "A lot of
what we're seeing is hackers getting in through some other means, then
planting this malware," said Novak. "So it's no surprise that the
malware is so good at getting this data out." In terms of the "getting
in" part, meanwhile, he said that exploiting weak credentials--including
poor passwords--was
the leading technique used by attackers, especially for smaller
businesses. For larger businesses, meanwhile, attackers often installed
keystroke loggers and password stealers, to make an end run around the
network security defenses.
Another interesting finding is that attacks with a physical component
that resulted in data breaches appeared to decline between 2010, when
they'd spiked, and 2011, when fewer than 1% of compromised records, and
just 10% of attacks, involved a physical component. What's behind the
apparent decrease? First, Verizon said that card-skimming attacks
certainly haven't gone away, and also that it's oftentimes difficult to
quantify the number of records that went missing as a result.
But Novak said the decline also seems to be due to law enforcement
agencies catching more card-skimming gangs. In fact, given the
traditional emphasis placed on physical--more than
cyber--investigations, he said the expectation was that law enforcement
agencies would simply be catching more people behind physical crimes
that led to data breaches. But in fact, it appears that these physical
crimes are declining. "The fact that we're seeing physical go down,
despite the fact that we have more law enforcement agencies reporting
in, is one way we determined [that it's declining]," he said.
Cybercriminals shouldn't breathe easy, however, since almost every type of law enforcement agency is adding cybercrime investigation capabilities.
"Most law enforcement agencies are tooling up at an amazing rate," said
Novak. "Most law enforcement agencies are finding that there's a cyber
piece to almost every case now. For example, people who investigate
homicides, traditionally they never spoke with the cyber folks. But now
they find that a cellphone in their case must be analyzed, a laptop must
be analyzed."
Most external hacks of databases occur because of flaws in Web applications that link to those databases. In this report, Protecting Databases From Web Applications,
we'll discuss how security teams, database administrators, and
application developers can work together to improve the defenses of both
front-end Web applications and back-end databases to prevent these
attacks from succeeding. (Free registration required.
Comments