‘Only' 4 Million Records Breached in 2010—That's Good News, By the Way

Online attacks are on the wane, but that's because cybercrooks are opting for smarter, more targeted approaches to getting at corporate data.

Verizon and the U.S. Secret Service released their annual study on data security, observing that while there were a lot of data breaches over the past year, hackers got away with less data. The number of compromised records involved in data breaches investigated by the pair dropped from 144 million in 2009 to “only” 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. 

It appears that cybercrooks are better targeting their efforts. According to the Verizon report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals.

“They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations,” the report says. “For example, only 3% of breaches were considered unavoidable without extremely difficult or expensive corrective action.”

This conclusion matches those of IBM's latest “X-Force 2010 Trend and Risk Report,” which suggests that spam and phishing attacks are leveling off. Also, mobile devices have not been compromised in any big way, yet. The bad news is that IT security threats are getting increasingly sophisticated and targeted.

Based on intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150,000 security events per second during every day of 2010, the observations from the IBM X-Force Research team finds that more than 8,000 new IT security vulnerabilities were documented—a 27% rise from 2009. Public exploit releases were also up 21% from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.

There were significantly fewer mass phishing attacks relative to previous years, but there has been a rise in more targeted attack techniques. “Spear phishing,” a more targeted attack technique, grew in importance in 2010, as meticulously crafted e-mails with malicious attachments or links became one of the hallmarks of sophisticated attacks launched against enterprise networks. 2010 saw some of the most high-profile, targeted attacks that the industry has ever witnessed. 

Verizon and the US Secret Service make the following recommendations for enterprises to keep data secure:

• Focus on essential controls . Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.

• Eliminate unnecessary data . If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.

• Secure remote access services . Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network. 

• Audit user accounts and monitor users with privileged identity . The best approach is to trust users, but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.

• Monitor and mine event logs . Focus on the obvious issues that logs pick up, not the minutiae. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.