The Global Leader in Application Delivery Networking

F5 Networks

Subscribe to F5 Networks: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get F5 Networks: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Just kidding…partially.  Have you seen the latest 2011 Verizon Data Breach Investigations Report?  It is chock full of data about breaches, vulnerabilities, industry demographics, threats and all the other internet security terms that make the headlines.  It is an interesting view into cybercrime and like last year, there is also information and analysis from the US Secret Service, who arrested more than 1200 cybercrime suspects in 2010.  One very interesting note from the Executive Summary is that while the total number of records compromised has steadily gone down – ‘08: 361 million, ‘09: 144 million, ‘10: 4 million – the case loads for cybercrime is at an all time high – 141 breaches in 2009 to a whopping 760 in 2010.  One reason may be is that the criminals themselves are doing the time-honored ‘risk vs. reward’ scenario when determining their bounty.  Hey, just like the security pros!  Oh yeah….the crooks are pros too.  Rather than going after the huge financial institutions in one fell swoop or mega-breach, they are attempting many more low risk type intrusions against restaurants, hotels and smaller retailers.  Hospitality is back on the top of the list this year, followed by retail.  Financial services round out pole position, but as noted, the criminals will always have their eye on our money.  Riff-raff also focused more on grabbing intellectual property rather than credit card numbers.

The Highlights:

  • The majority of breaches, 96%, were avoidable through simple or intermediate controls; if only someone decided to prevent them.
  • 89% of companies breached are still not PCI compliant today, let alone when they were breached.
  • External attacks exploded in 2010, and now account for the vast majority at 92% and over 99% of the lost records.
  • 83% of victims were targets of opportunity.  Most attacks are opportunistic, with criminal rings relying on automation to discover susceptible systems for them.
  • Most breaches aren’t discovered for weeks to months, and most breaches, 86%, are discovered by third-parties, not internal security teams.
  • Malware and ‘hacking’ are the top two threat actions by percentage of breaches, 50%/49% respectively, along with tops in percentage of records 89%/79%.  Misuse, a strong contender last year, went down in 2010.
  • Within malware, sending data to an external source, installing backdoors and key logger functions were the most common types and all increased in 2010.
  • 92% of the attacks were not that difficult.

You may ask, ‘what about mobile devices?’ since those are a often touted avenue of data loss.  The Data Breach Report says that data loss from mobile devices are rarely part of their case load since they typically investigate deliberate breaches and compromises rather than accidental data loss.  Plus, they focus on confirmed incidents of data compromise.  Another question might have to do with Cloud Computing breaches.  Here they answer, ‘No, not really,’ to question of whether the cloud factors into the breaches they investigate.  They say that it is more about giving up control of the systems and the associated risk than any cloud technology.

Now comes word that subscribers of Sony’s PlayStation Network have had their personal information stolen.  I wonder how this, and the other high profile attacks this year will alter the Data Breach Report next year.  I’ve written about this type of exposure and felt it was only a matter of time before something like this occurred.  Gamers are frantic about this latest intrusion but if you are connected to the internet in any way shape or form, there are risks involved.  We used to joke years ago that the only way to be safe from attacks was to unplug the computers from the net.  With the way things are going, the punch line is not so funny anymore.

ps

Resources:

Technorati Tags: F5, data breach report, threats, Pete Silva, security, malware, technology, Verizon, cyber-threat, social engineering, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach, psn, Sony, PlayStation

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1] o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]


Read the original blog entry...

More Stories By Peter Silva

Peter is an F5 evangelist for security, IoT, mobile and core. His background in theatre brings the slightly theatrical and fairly technical together to cover training, writing, speaking, along with overall product evangelism for F5. He's also produced over 350 videos and recorded over 50 audio whitepapers. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Writer, speaker and Video Host, he's also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.