Organised crime behind most computer security breaches


While most security professionals – and many survey and report results – claim that, statistically speaking, corporate insiders pose the greatest security risk to any given organisation, a report by Verizon Business reveals the opposite.

The company’s Data Breach Investigations Report 2009 covers 90 cases of confirmed data breaches investigated by the Verizon Business Investigative Response unit (part of its security RISK team) last year, ITWeb features editor Samantha Perry reports.

According to Matthijs van der Wel, head of the EMEA forensics team at Verizon Business, speaking at the RSA Security Conference, in London, external sources were responsible in 74% of data breach cases last year, while insiders accounted for 20%, and 32% occurred via partners (such as third parties that have access to a company’s systems).

The overlap, he says, comes in when multiple parties were involved in a breach.

Ninety percent of the breaches investigated were attributed to organised crime activity, he states. “Five of seven largest breaches publicly known are in our report,” he adds, while maintaining confidentiality by not pointing out which these were.

Of the internal breaches, he says, these were performed by an even split of end-users and administrators. In cases where partners were involved, the breaches mostly came via hijacked third-party accounts/connections. “These connections/accounts are out of the organisation’s control and most organisations have great difficulty monitoring these. It’s like creating a back door where you have no control of what type of lock is installed or who has keys,” he states.

Last year’s case load saw 285 million records stolen, more than the previous four years’ combined total of 230 million.

“There’s a whole economy out there,” says Van der Wel. He adds that the market for credit card records has been flooded, resulting in a drop in price from between $10 and $16 per record two years ago to around $0.50 today.

Says the report: “As supply has increased and prices fallen, criminals have had to overhaul their processes and differentiate their products in order to maintain profitability.”

As Van der Wel puts it: “So if you want to make a lot of money, you either have to sell lots of records, or sell information that is still valuable.

“We’re still seeing criminals trying to access banks and financial institutions to either get a lot of data or valuable data, for example PINs,” he adds.

“PIN fraud typically places a larger share of the burden upon the consumer to prove that transactions are fraudulent. This makes the recovery of lost assets more difficult than with standard credit-fraud charges. The higher value commanded by PIN data has spawned a cycle of innovation in attack methodologies.

“Criminals have reengineered their processes and developed new tools – such as memory-scraping malware – to steal this valuable commodity. This has led to the successful execution of complex attack strategies previously thought to be only theoretically possible,” the report adds.

From a risk management perspective, Van der Wel asks: “Are you a target of choice or opportunity?”

He says a target of opportunity has some data that’s not worth a lot. “If you’re a target of choice, you either have a lot of data, or data worth a lot, in which case you need to understand that the organised crime sector has a lot of resources available to dedicate to getting that data.”

This is the message in many of the talks at the RSA Security Conference: the criminals are out there, they’re organised, they’re behaving exactly like any other business (down to risk analysis when identifying targets and monthly board meetings), and if not taken seriously, they could spell trouble.

Facts and figures:

How do breaches occur?
* 67% were aided by significant errors
* 64% resulted from hacking
* 38% utilised malware
* 22% involved privilege misuse
* 9% occurred via physical attacks

What commonalities exist?
* 69% were discovered by a third party
* 81% of victims were not payment card industry compliant
* 83% of attacks were not highly difficult
* 87% were considered avoidable through simple or intermediate controls
* 99.9% of records were compromised from servers and applications