Verizon: Retail Data Breaches Typically Discovered By Accident

In its annual report of retail data breach statistics, the forensic analysis group at Verizon Business details a series of stats that essentially verify what most retail IT execs already knew. This year is no exception, with evidence of breaches that are discovered by accident when they're discovered at all, successful attacks that used remarkably little sophistication and PCI holes galore.

But there's something about seeing these conventional wisdoms substantiated with statistics that is comforting, along the lines of "Hey! We were right. But we're also royally screwed." With that in mind, some of the more delicious details from this new report, which was published Wednesday (April 15).

  • The Most Difficult PCI Requirements Are Ignored The Most
    This shouldn't surprise anyone, but how closely the non-compliance aligns with difficulty level is intriguing. PCI requirements 3 (protect stored data), 6 (develop and maintain secure systems and applications) and 10 (track and monitor all access to network resources and cardholder data) were the least complied with, coming in respectively at 11 percent, 5 percent and 5 percent.

    "When one considers the prevalence of unnecessary and/or unknown data stores, frequency of SQL injection attacks, and lengthy compromise-to-discovery periods discussed extensively in this (and our last) report, this finding is hardly surprising," the report said. "This trio of deficiencies factored heavily into many of the largest breaches investigated by our team over the past five years. Unfortunately, these statistics—and those discussed earlier regarding the low utilization of discovery and detective controls—suggest that attacks exploiting these areas will continue to be a challenge for the foreseeable future."

    Even more frightening are some of the requirements that fared better. For example, "Do not use vendor-supplied defaults for system passwords and other security parameters" fared the second-highest—which is great—but it was observed by only 49 percent of breached merchants. Yes, that means that most of the chains (51 percent) were still using vendor defaults. *sigh*

    The most compliant requirement—"Encrypt transmission of cardholder data and sensitive information across public networks"—was mastered by 68 percent. That means that roughly one-third (32 percent in this case) of the breached merchants had been sending cardholder data in the clear over the Internet. Five percent or ten percent would be bad enough, but a full third? Something's very wrong out there.

  • Many Chain Victims Had Never Been Assessed For PCI
    More than 75 percent "of organizations suffering payment card breaches within our caseload were found not compliant with PCI DSS or had never been audited. This status was not determined by our Investigative Response team but rather by the victim's attestation or Qualified Security Assessor (QSA)."
  • "Auntie Em! Auntie Em! Need Anti-Forensics Antidote"
    The cyber thieves are fighting back and their tools are often one step beyond ours. "Investigators found signs of anti-forensics in over one-third of cases in 2008. The most common forms of anti-forensics measures observed in the field are Data Wiping, Data Hiding, and Data Corruption. The prevalence of these among investigations conducted in the last year" was 31 percent using data wiping, 9 percent data hiding and 3 percent opting for data corruption, the report said. "The pervasiveness of Data Wiping, which includes removal and deletion, comes as no surprise. Many commercial off-the-shelf products are available that perform this function (there are many legitimate uses for wiping data) as well as freeware utilities. With respect to Data Hiding, the use of steganography has remained relatively rare and flat year-over-year. On the other hand, the use of encryption for the purposes of Data Hiding has risen by almost 10 percent. Where Data Corruption was observed, it was mostly manifested as log tampering."

    But an even more interesting observation was where most of the anti-forensics efforts happened. "Intuitively, the breaches in which anti-forensics were utilized tended to be larger in size and longer in duration. For many of the smaller 'smash and grab' attacks, destroying evidence is simply not worth the effort. Plus, those attacks are often perpetrated by attackers of lower skill who are ignorant of antiforensic measures. In this sense, the use of anti-forensics is progressing beyond its roots as a defensive tactic used to avoid prosecution and is increasingly employed in an offensive capacity to expand and extend the attacker's ability to compromise data."

  • Breaches Being Discovered By Accident
    . Breaches were discovered by third parties (processor, bank, card brand, law enforcement, etc.) a whopping 69 percent of the time, with another 24 percent detected by internal mechanisms that accidentally detected the breach. The frequency of perimeter alerts successfully catching, well, someone violating the perimeter, was only 7 percent.

    "Employees happening upon breaches during their normal work activities remain a distant second to the combined third-party detection or notification categories, followed closely by unusual system behavior. These two methods, while unplanned, seem to be an organization's best chance of discovering a breach on their own. That's hard to believe, but it's also hard to argue with five years of data that all reveal a similar finding," the report said. "As with prior years, active measures (referring to those that are specifically designed for detection) taken by the organization detect only a small proportion of breaches. It is clear that breach discovery remained a largely passive endeavor in 2008."

  • Some 75 Percent Of Breaches Undiscovered For Weeks Or Months
    "On the whole, organizations discovered breaches slightly quicker in 2008. However, lest we confuse 'quicker' with 'quickly,' this statement needs some additional context. Breaches still go undiscovered and uncontained for weeks or months in 75 percent of cases. It is doubtful that any chief security officer anywhere would call this 'quick.'"
  • Low- and None-Difficult Attacks Done 52 Percent Of The Time
    Said the report: "The relative difficulty of attacks leading to data compromise is not only an excellent indicator of the current threat environment, but also the state of modern security programs. During each case, our investigators assess the details of the attack and classify it according to the following difficulty levels."

    You saw this one coming. Attacks that required "no special skills or resources. The average user could have done it" represented 10 percent of the probed attacks. But add that the 42 percent of attacks that were designated as low-difficulty—"Basic methods, no customization, and/or low resources required. Automated tools and script kiddies"—and it's clear that most attacks were especially sophisticated. Moderate skill attacks—defined as attacks using "skilled techniques, some customization, and/or significant resources required"—were seen in 31 percent of the incidents and only 17 percent of these attacks against multi-billion-dollar chains involved "advanced skills, significant customization, and/or extensive resources required."

    The copy of the full report is probably worth a read.