Layer 8

Once more into the breach report.

So Verizon Business released one of the hottest breach reports in the industry—and by hot, I don’t mean just that it’s in that cool black and red and has bubble charts galore. No, I mean that their executives can travel to conferences on it for the whole YEAR and if they play their cards right, nobody will get tired of hearing about it. I’m looking forward to seeing what the pundits say about the conclusions.

There are some awesome data points here, ones that puncture the conventional wisdom:

- A big majority of the breaches resulted from outsider attacks.

- You can prevent most of these breaches by doing really simple and cheap things, like CHANGING DEFAULT PASSWORDS (more on that later).

- 81% of the victims were not PCI compliant (ouch!).

- Nearly half their caseload comprised interrelated incidents (different parts of the same organization, committed by the same individual, etc.).

Now, let’s look at the visualization, which is really half the appeal of the report. There was a gratuitous use of bubble charts; most of these could easily have been depicted by bar charts, but I guess they wanted some variety in their geometric shapes (this led to my frequent impression that the data breaches were all coming from Jupiter). The only really stellar (heh) use of the bubble chart was figure 31, showing the different time spans for breaches, in which you could get an overall feel for the proportions of a complex data set at a glance. That one and the line chart showing threat categories were worth spending a lot of color on.

They mostly did a good job slicing and dicing the numbers, but they went a bridge too far when they trotted out their “pseudo risk calculation.” First of all, I’ve never liked the variations on “frequency x impact = risk” because I always ended up with a number in the “risk” category that sat in my hand like a Japanese vending machine snack: I had no idea what it was, didn’t want to consume it, and certainly didn’t want to foist it off on anyone else because I couldn’t vouch for it. In this case, the mystery gelatinous mass is still the “risk” column in their chart, which is simply a blending of their historical data—NOT likelihood—and the number of records breached, which gives you 28,000 Somethings. Now, I’m always suspicious when two columns of a chart have units specified and the grand finale column doesn’t. Is that supposed to be the average number of records someone can expect to lose next year with a probability of 1.00? They don’t SAY it’s the number of records, but that’s the most likely candidate, given the scale. Is this supposed to be a substitute for annualized loss measured in dollars?

Guys, if you have to call it “pseudo,” you’re already backing away from it yourselves. If you can’t vouch for it and tell me exactly what’s in it, I ain’t eating it.

On the upside, I was glad to see some other things confirmed, such as my belief that database encryption really doesn’t buy you a whole lot in terms of protection, because the attack pathways are the same ones that belong to legitimate users. (Encryption at rest is for protecting data that is TRULY at rest, i.e., the server is turned off.) It is depressing, but utterly believable, to see that the vast majority of breaches are aided by “errors and omissions,” also known as system administration FAIL.

Looking at the commonalities, we see the very elementary errors and misconfigurations, the lack of PCI compliance, and the fact that most of the breaches were detected by a third party. If you roll this all together, you could plausibly assume that the victims were all generally lackadaisical about managing their systems. This could be attributed to a lack of skilled resources—and by that, I mean that either they didn’t have sufficiently knowledgeable resources, or they had skilled ones but way too few of them to get the work done. You might be able to infer that these folks didn’t want IT management cramping their style; that would also explain why very basic security measures weren’t properly implemented. And finally, we see that third parties and their interconnectedness play a significant role, in that mergers and acquisitions make an IT environment more complex than it already was, and trusted third parties really shouldn’t be trusted when their own security house isn’t in order either.

All in all, there were enough interesting data sets in here to keep it from being another standard industry FUD piece. I actually learned some things from it, so color this one a winner.

Posted by shrdlu on Tuesday, April 14, 2009
(9) Comments • Permalink •

Next entry: Reefer(ral) Madness.

Previous entry: Trust never sleeps.

Comments

.(JavaScript must be enabled to view this email address)

on 04/19 at 08:38 PM:

Hi Shrdlu,

I agree that there’s some very good data in the Verizon report. That said, Brooke made some observations about it that I believe are worthwhile for people to consider.

http://newschoolsecurity.com/2009/04/a-curmudgeon-is-a-little-confused-by-the-2009-dbir/#comments

Cheers,
Jack

shrdlu

on 04/20 at 07:17 AM:

Hey Jack, good to see you!

One of Brooke’s points appears to be that the data show that the vast majority of the records were affected (we’ll drop the word “breached” for a moment ) by more difficult attacks. That being the case, what do we infer about reducing the number of loss events as opposed to the amount of loss? The other question is what Verizon defined as “difficult”—does that include SQL injection? They show that the vast majority of records were affected in attacks that included “hacking” that were “aided” by these “configuration errors.” Look at this last sentence carefully, and you’ll see that there’s a lot of ambiguity and imprecision there.

That’s the other problem with the presentation of the data: it’s hard to figure out which breaches comprised more than one kind of attack, which was aided by more than one “significant error” on the part of the victim. If we drive towards the kind of precision that would be helpful, we start to compromise the privacy of the companies involved.

Gary Hinson

on 04/21 at 01:39 AM:

[Preface: I haven’t read the report yet but will do now, after your exposition.]

You mentioned PCI compliance: this only applies to organizations handling card data. Agreed that’s quite a few but not all. Compliance is not required of the remainder.

What about compliance with other, more generally applicable infosec standards such as the ISO/IEC 27000-series? Do they even get a look in? And if not, do you think ISO27k compliance might have made a difference?

Rgds,
G.

shrdlu

on 04/21 at 07:21 AM:

Hi Gary,

I know about PCI—it appears that Verizon’s caseload was heavily biased towards those organizations handling card data. (Note that there were NO public sector organizations in their breakdown. Zero, zip, nada.) As for other infosec standards, I would be interested in seeing data on those before I made a call one way or the other. My gut feeling is that the risk of breach would be dependent on factors outside of compliance. If you are an organization that is effective at security, you may well be compliant as an afterthought; but if you’re an organization that does not do security well, and therefore needs compliance as a minimum baseline, you are probably not doing security effectively enough in other respects to prevent a breach.

Gary Hinson

on 04/21 at 03:22 PM:

OK Shrdlu, understood. It’s interesting that infosec pros treat PCI, ISO27k and others as minimal baselines whereas others generally see them as rather more than basic. Perhaps we are over-selling the standards, or perhaps they really *are* too weak and should be toughened up.

Cheers,
G

shrdlu

on 04/21 at 04:08 PM:

Hi Gary,

Obviously, your mileage may vary, but aren’t standards by definition whatever you can safely generalize to as much of the population as possible? Unfortunately, our computing today is at such a non-standardized state that a standard may never prove sufficient (see for example Heartland, which was supposedly PCI compliant at the time of the breach, but there are a lot of arguments about that one). You can have a standard that tells you to avoid SQL injection vulnerabilities, but that will never cover the unique business logic in an application that can also be exploited.

I think most people would agree that standards are necessary but not sufficient in infosec. I wouldn’t know where to begin to “toughen up” standards so that they were sufficient in all, or even most cases. But that’s why we have you smart folks working on it.

.(JavaScript must be enabled to view this email address)

on 04/24 at 07:10 AM:

Hi Shrdlu! It’s always good to “see” you too.

Great question/observations regarding what we might infer, and the challenges in how the data’s been presented.

Regarding inferences about reducing loss event frequency versus loss magnitude, you’re exactly right that we’re hamstrung by the definition challenges. Just off the top of my head though, I suspect that if the attacks were truly “difficult”, the bad guys would have gone elsewhere. My guess is that the attacks were sophisticated in some respect, but that the fundamental problems that allowed them to be successful were relatively basic. If this isn’t the case, then we might infer that once the bad guys choose a target, they’ll do whatever is necessary to bring it down. This would imply that we’re then faced with managing loss magnitude rather than frequency, which needs a white paper to discuss…

If, however, I’m correct in that the attacks weren’t fundamentally difficult, then that brings us back to managing frequency/likelihood by taking care of the basics. The old “You don’t have to outrun the bear, you just have to outrun the other people running from the bear” idea. If my organization is materially more difficult to hack than the one down the road, then odds are I’ll have a lower incident frequency.

As for specifics and the privacy of the companies involved, I guess it depends on what we’re trying to protect them from. By “privacy” do we mean we don’t want to potentially embarrass them by exposing specific decision or execution errors on their part, or do we mean we don’t want to provide information that might expose them to further attacks? (Or both?) I don’t believe any decision/execution problems exposed are likely to be much different/worse than 99% of companies are guilty of. As for increasing the potential for additional attacks, I suppose there’s some potential for that, depending on the nature of their deficiencies. That said, if they’ve recognized the breach occurred and have taken reasonable steps to mitigate, then it’s less likely to be a problem. This can be somewhat reduced by anonymizing the data, although the small number of big events makes it easier to recognize what happened where.

Cheers,
Jack

shrdlu

on 04/24 at 08:14 AM:

Jack, as usual, we agree on everything. You’re right—there is a cultural issue surrounding privacy issues and breach disclosure, and if I ever get two brain cells to rub together, I’m going to blog about it.

shrdlu

on 04/24 at 08:16 AM:

One more thought—if “difficult” is used in the report to mean “sophisticated attack methods used,” that might not be terribly useful. You can overdo an attack on weak controls and it doesn’t mean the attack itself was difficult to pull off; it just means you were showing off to the investigators.