I came across an interesting blog post of security misconceptions from Errata Sec. a while ago:
http://erratasec.blogspot.com/2008/06/verizon-500-breach-report.html
Basically the data came from a report/study of 500 forensic investigations that Verizon released.
http://www.verizonbusiness.com/resources/security/databreachreport.pdf
Personally – I think the security industry is chock-full of misconceptions of the what/how/why of hackers and breaches.
While this report is interesting – the biggest problem with this report is that it’s a study drawn from 500 forensic engagements handled by the Verizon Business Investigative Response Team, which means the information is gathered from breaches and forensics engagements of large organizations (people who can afford to pay for Verizon forensics services). What’s wrong with this one might ask?
Well – in my opinion – large organizations generally have a larger security budget than say small businesses and home users – which means large organizations generally have things like regular security testing (a lot of the times by law or regulation of some sort), patch-management policies, etc. and they don’t constitute the majority of “breaches.” Sure – they’re still getting hacked, otherwise there wouldn’t be a report like this – but the majority of systems that get compromised/hacked don’t belong to large organizations that have some sort of security entity (person or department) in charge of their systems, rather it’s the small businesses and home users, such as the non-tech savvy grandmas that click on cute and free animated screen saver links from emails and web sites that get compromised. These end users – the people who most likely get hacked aren’t represented here.
Much like trying to gather statistical information from the impact of Cross-Site Scripting (or any client side exploit – which is the most predominate type of exploit these days) – gathering information or statistics on the really vulnerable systems on the internet is almost impossible. These client side exploits generally affect home users, which – by the sheer number of home users it’s really hard to gather test cases. I’d even say that most of the people/systems that have been “hacked” aren’t even aware that they were compromised (like people who lend their system to a botnet).
The thing is – when end users of an organization get hacked, like in a Cross-Site Scripting or Microsoft Office exploit it is generally the lowest-hanging fruit and can have just as much impact as the organization servers getting hacked (confidential information, personal credit card data, etc. being stolen).
This is (again, imho) the way the majority of organizations/systems get compromised these days – and this report doesn’t really take this into account – again it’s very rare that forensics engagements deal with client side breaches.
This is one of the reasons I like to follow Dancho Danchev’s blog – it’s a great peek into the latest and greatest what is “really going on” in the blackhat hacker market (motives, techniques, methodologies, etc.).
Here’s are some of the misconceptions that were talked about in the Errata sec. blog:
Misconception: Hackers target their victims.
Verizon data: 85% of attacks were “opportunistic”, the hackers didn’t know who their victims were until after they broke in.
Misconception: Certified anti-virus products detect over 99% of all viruses.
Verizon data: 25% of viruses/malware were customized to their victims and undetectable with standard anti-virus.
Misconception: Hackers are smart, clever, geniuses, wizards, etc.
Verizon data: 55% where of attacks required essentially no skills, the level of “script kiddies” running automated tools. Only 17% required “advanced” skills.
Misconception: It’s the insider threat. No, wait, it’s outsiders. No, I mean, it’s the partners.
Verizon data: 73% external, 18% internal, 39% partners. However, external breaches tended to be minor, whereas internal and partner breeches were major. Their numbers show that all three are important threats and that it’s hard to measure which one is worse.
Misconception: Numbers are definitive.
Verizon data: These numbers are bit subjective. For example, they notice that “physical breaches” were rare, but that’s because Verizon wouldn’t be called in to investigate a physical breach.
Question: What are hackers after?
Verizon data: Credit Card data (84%), Personal identity (32%), Username/passwords (15%)
Question: How old are the vulnerability exploits hackers use?
Verizon data: 71% older than 1-year, another 19% older than 6 months.
(…)
Cheers,
Chuck B.
1 response so far ↓
1 Benjamin Wright // Jul 8, 2008 at 4:09 pm
Chuck: The Verizon study spotlights an important topic for debate. Legally speaking, what is “reasonable security?” FTC punished TJX for not having it, but I argue FTC was wrong. Verizon says 9 of 10 data breaches could have been avoided if “reasonable security” were present. That implies 9 in 10 breach victims were in violation of law. The study’s outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates if reasonable security could have prevented a break-in, it does so with benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is “an extremely complex challenge.” In other words, the sheer problem of locating data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon’s reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. What do you think? –Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
Leave a Comment