Some interesting facts in the latest Verizon Data Breach Investigations Report, which, for the first time, for 2010, was a joint report by Verizon and the US Secret Service.
This applies only to breaches within the USA of course, but there are still some lessons for us all.
Firstly, of 84 "confirmed breaches of data security" investigated by the US Secret Service, 66% led to arrests. Not all got the publicity of Albert Gonzalez who was sent to jail for 20 years in March this year for stealing more than 90 million credit and debit card numbers. In fact some received no publicity at all as the companies from which the data was stolen were loathe to have their problems revealed.
Most thefts happened in-house: rogue employees such as programmers were involved in nearly half the cases, but they involved only 3% of the records stolen. In other words, the inside jobs were amall jobs. But the report warned about outsourcing: "Organizations that outsource their IT management and support also outsource a great deal of trust to these partners."
And there was not a single case involving a foreign government.
SQL database queries were used in more than half the cases: programmed queries that pluck data from the system and send it to the requester. This is a bit like the queries you can set up in Access or the old DBase. It seems to mean that the real problem is in the programming used by a vast majority of businesses.
Keyloggers, the programs that record what users are entering via the keyboard, and which can be hidden in other programs or installed without the user's knowledge from compromised websites, and which are often used to scare users, accounted for only 1% of the stolen data -- down from 80% the year before. So the bad guys have found better ways to steal the info.
And what of the other big scare tactic: keep updating or you'll compromise your computer? Well, Verizon and the Secret Service could not come up with a single case which "exploited a patchable vulnerability."
One wonders however whether companies are keeping as close a watch on their data as we might reasonable expect. The report states: "Third-party fraud detection is still the most common way breach victims come to know of their predicament".
As Woody Leonhard states in the Windows Secrets newsletter: "Companies learn of breaches when customers report them. So if you think your data's been stolen, holler yer head off!"
This applies only to breaches within the USA of course, but there are still some lessons for us all.
Firstly, of 84 "confirmed breaches of data security" investigated by the US Secret Service, 66% led to arrests. Not all got the publicity of Albert Gonzalez who was sent to jail for 20 years in March this year for stealing more than 90 million credit and debit card numbers. In fact some received no publicity at all as the companies from which the data was stolen were loathe to have their problems revealed.
Most thefts happened in-house: rogue employees such as programmers were involved in nearly half the cases, but they involved only 3% of the records stolen. In other words, the inside jobs were amall jobs. But the report warned about outsourcing: "Organizations that outsource their IT management and support also outsource a great deal of trust to these partners."
And there was not a single case involving a foreign government.
SQL database queries were used in more than half the cases: programmed queries that pluck data from the system and send it to the requester. This is a bit like the queries you can set up in Access or the old DBase. It seems to mean that the real problem is in the programming used by a vast majority of businesses.
Keyloggers, the programs that record what users are entering via the keyboard, and which can be hidden in other programs or installed without the user's knowledge from compromised websites, and which are often used to scare users, accounted for only 1% of the stolen data -- down from 80% the year before. So the bad guys have found better ways to steal the info.
And what of the other big scare tactic: keep updating or you'll compromise your computer? Well, Verizon and the Secret Service could not come up with a single case which "exploited a patchable vulnerability."
One wonders however whether companies are keeping as close a watch on their data as we might reasonable expect. The report states: "Third-party fraud detection is still the most common way breach victims come to know of their predicament".
As Woody Leonhard states in the Windows Secrets newsletter: "Companies learn of breaches when customers report them. So if you think your data's been stolen, holler yer head off!"
Recent Comments