Saturday, July 11, 2009

Must-Read Verizon Post Demolishes More Myths

I'm a big fan of the 2009 Verizon Data Breach Report. Today I read Compromised Assets & Data: But our company doesn’t handle credit cards... by Verizon's Bryan Sartin. It's an excellent post. I'd like to post several excerpts, emphasizing and expanding on certain points.

I find it fascinating that no matter where in the world you go, what type of company you talk to, public or private sector, you find two very common beliefs:

1. All data stolen in security breach is a result of lost assets, not systems-related intrusions.

2. I don’t handle payment cards (credit or debit) - so this stuff does not apply to me.

If you could only understand how outrageous these sound from the standpoint of the computer forensic investigator. Both thought processes couldn’t be more wrong.

I hear these refrains as well, or at least I see the effects of devoting resources to other projects. Bryan continues:

Pretty much everyone I speak to firmly believes that in the real world, companies do not get hacked into and data is never compromised as the result of a systems-based intrusion. The prevailing wisdom, if you can call it that, suggests that almost all lost records leading to fraud are the product of backup tapes that don’t make it from point A to point B, blackberries left in taxi cabs, and company-issued laptops left at train stations. This is the prevailing wisdom UNTIL a company is hacked.

In reality, hackers and fraudsters target data of value. Companies are targeted, either directly or indirectly, because they are perceived to be data rich, and data that is stolen tends to lead to some measurable form of fraud, whether it is counterfeit, identity fraud, etc...

Online data, including digital repositories of information like databases, transaction logs, and other aggregation and storage points, account for an overwhelming 94 percent of casework and 99.9 percent of all verifiable records compromised.

This is confirmation of my focus on external threats. Bryan turns to his second point:

"But my company doesn’t handle credit cards, so this doesn’t apply to me..." [I]t doesn’t matter whether you store payment card data or not. The threats affecting companies in a particular industry or sector care more about the ability to sidestep security controls reliably, than about what type of data they’ll find once inside. Every company has something of value to a hacker.

If you don't have something of value to an intruder, you probably don't do anything worth keeping you in operation.

The following excerpt is really crucial:

There is no question that our case load is biased toward payment cards. Payment card data is a premium cybercrime target because when applied in a certain manner, stolen records of sufficient content can lead to fraudulent purchases...

[B]based on our figures, I would estimate that payment cards represent as little as 1.2 – 1.5 percent of all data thefts. The remaining 98.x percent being occupied primarily by personally identifiable data (PII), then account credentials, company-proprietary data, and a few other categories in a distant fourth and fifth by incidence. Payment cards are in fact a distinct minority in data theft cases, albeit an extremely noisy minority.

The ensuing fraud is detectable and fraud analysis and detection tools have made it almost elementary to identify the likely source of a suspected payment card breach for almost 10 years.

Did you catch that? A stolen payment card intrusion is detectable. The hacked parties (online vendors, offline vendors, anyone using and storing payment card data) don't detect the actual theft of the data. Fraudulent use of the payment card data is detected by consumers and payment card providers. What about other data?

In simple terms, when payment card data is stolen – someone always finds out about it. The same cannot be said for PII and the other categories of compromised data we see...

Fraud is a direct, easily observable and easily trackable consequence of an intrusion. When an intruder steals payment card data, and the payment card data is used to commit fraud, the hacked party can be identified and notified using external means (bank or law enforcement calling).

However, the consequences of other data theft intrusions are not so easily observed nor tracked. If a competitor steals your company's intellectual property, sales plans, and other sensitive information, it may not be obvious how that competitor beat you to a deal that quarter. This is why I spoke of long-term competitiveness, because you can't tie non-payment card intrusions back to an obvious consequence or impact.

Thanks to Bryan Sartin for such a great post.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.


Keydet89 said...

Would it be accurate to say, then, that even however unknowingly, intruders/attackers are taking advantage of this mindset? After all, denial isn't just a river in Egypt, and if the C-level suite of folks are in that river about network-based intrusions, then isn't that the best route into an organization?

Matthew Wollenweber said...

I think the key is "the consequences of other data theft intrusions are not so easily observed nor tracked" tied with a reported compromise immediately tarnishes the company name and costs money.

Having done several incident responses, I've never seen a company purposely task a consultant or employee with finding evidence of PII compromise. I have seen them halt analysis and have legal parse findings to get out of any legally required reporting.

There are innate problems in the system that need to be addressed if we want companies to make more efforts to protect customer data.