US Data Breaches Analysis
-
Upload
jkveragas -
Category
Technology
-
view
864 -
download
1
Transcript of US Data Breaches Analysis
Analysis of US Data Breaches2005 - 2009
Compiled and Presented by: John E. Kveragas, Jr., CPA, CISA
“Learn from the mistakes of others. You can’t live long enough to make them allyourself.”
- Eleanor Roosevelt
Agenda
Background
Analysis
Could have, Should have, Would have
Q&A
Appendix A– Definition of Root Causes
Appendix B – Definition of Industries
Background
Source: www.privacyrights.com
Time Period: January 2005 – December 2009
Scope: Reported data breaches impacting customers and employees in the US. Purpose: To utilize available information to give Audit and Security assurance that time and
resources are being wisely spent on securing and reviewing the real risks to our most prizedorganizational asset.
Assumptions: Actual records compromised are far greater than what has been reported. Some
organizations had no idea what records where impacted or how many. Events reported are a representative sample of all data breach incidents. Therefore we
can use this data to forecast IT risk areas and emerging trends.
Constraints: Hacking incidents where the exploit was not explained had the Root Cause classified
as Network Security. This Root Cause also covers; default/blank passwords,unpatched devices, misconfigured devices, default settings, etc.
Physical Security category covers stolen computers and hard drives. This excludesLaptops, PDAs, and portable media.
Analysis – Reported US Data Breaches
From January 1, 2005 – December 31, 2009
By the Numbers:
1,340 reported incidents.
324 of the 1,340 reported incidents did not know how many recordswere affected.
40 of the 324 were Banks.
457,016,826 known customer/employee records affected.
US Census estimated US population at 305,000,000 in 2009.
1,219 organizations had data breaches.
74 of the 1,219 organizations had multiple data breaches.
Baseball is ninety percent mental and the other half is physical. - Yogi Berra
Reported US Data Breaches by Year
457,016,826100%100%1,340Totals
220,991,846*48.36%*17.91%2402009
34,824,3367.62%23.88%3202008
70,684,43815.47%24.48%3282007
75,744,31616.57%25%3352006
54,771,89011.98%8.73%1172005
Nbr. of RecordsPercent of
TotalRecords
Percent of TotalIncidents
IncidentsYear
* A single incident in 2009 was responsible for 100,000,000 records. Due to a single event,or a few events, skewing the number of records, it is more important to look at thenumber of incidents reported for a year to year comparison than the number of records.
The 5 Largest Data Breaches
293,700,000Total Records……………………………………………
32,000,000Web coding erroreCommerce - Retail2009
76,000,000Disposal of hardwareGovernment -Federal2009
100,000,000VirusBanking2009
45,700,000Network SecurityRetail2007
40,000,000Network SecurityBanking2005
Record CountRoot CauseIndustryYear
These 5 incidents represent 64% of the reported data records compromised during the 5 year period.
Root Cause – Sorted by Incident Count
1,340457,016,826Totals
13,200SmartPhone
14,000Phishing
1851PDA
2?Wireless
2117,000Public PC
2123Programming Error (Backend)
280Fax error
4435,000Social Engineering
911,485Peer to Peer
111,821Skimming
1276,296,770Disposal of hardware
1232,169,060Web coding error
14100,073,262Virus
205,598,145Unknown
299,266,569Backup Tapes
32710,469Email error
482,566,405Mailing/Printing error
8326,677,497Portable Media
8925,352,839Insider
1434,533,405Web posting error
1479,179,139Physical Security
1474,696,608Paper
25937,441,939Laptop
270121,881,159Network Security
IncidentsNbr. of RecordsRoot Cause
Root Cause – Sorted by Incident CountTop 10
299,266,569Backup Tapes
32710,469Email error
482,566,405Mailing/Printing error
8326,677,497Portable Media
8925,352,839Insider
1434,533,405Web posting error
1479,179,139Physical Security
1474,696,608Paper
25937,441,939Laptop
270121,881,159Network Security
IncidentsNbr. of RecordsRoot Cause
The Top ten root causes with the highest number of incidents represents 93% of thetotal number of incidents.
Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
Root Cause – Sorted by Nbr. of Records
1,340457,016,826Totals
2?Wireless
280Fax error
2123Programming Error (Backend)
1851PDA
111,821Skimming
13,200SmartPhone
14,000Phishing
911,485Peer to Peer
2117,000Public PC
4435,000Social Engineering
32710,469Email error
482,566,405Mailing/Printing error
1434,533,405Web posting error
1474,696,608Paper
205,598,145Unknown
1479,179,139Physical Security
299,266,569Backup Tapes
8925,352,839Insider
8326,677,497Portable Media
1232,169,060Web coding error
25937,441,939Laptop
1276,296,770Disposal of hardware
14100,073,262Virus
270121,881,159Network Security
IncidentsNbr. of RecordsRoot Cause
Root Cause – Sorted by Nbr. of RecordsTop 10
205,598,145Unknown
1479,179,139Physical Security
299,266,569Backup Tapes
8925,352,839Insider
8326,677,497Portable Media
1232,169,060Web coding error
25937,441,939Laptop
1276,296,770Disposal ofhardware
14100,073,262Virus
270121,881,159Network Security
IncidentsNbr. of
RecordsRoot Cause
The Top ten root causes with the highest number of records represents 97% of the total number of records affected.
Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
Top 10: Industry – Sorted by Incident Count
2%301,565,290Accounting/Tax/Audit/Payroll
3%354,206,121Insurance
3%442,153,348Other
5%7253,111,224Retail
6%84107,221,847Government - Federal
6%8610,166,092Government - Local
7%90174,682,458Banking
10%13614,993,503Government - State
15%2017,711,609Medical
28%3799,136,254Education
% of TotalIncidents
IncidentsNbr. of RecordsIndustry
*Total of 1,340 reported incidents.
Footnote 1: Industries in red are governed by Federal Law over data privacy, i.e HIPPA for Medical and GLBA for Banking.
Footnote 2: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
Top 10: Industry – Sorted by Nbr. of Records
*Total of 457,016,826 records.
Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
1%6,223,91522Manufacturing
2%7,126,14616Brokerage
2%7,711,609201Medical
2%9,136,254379Education
2%10,166,09286Government - Local
3%14,993,503136Government -State
11%49,784,3279eCommerce - Retail
12%53,111,22472Retail
23%107,221,84784Government -Federal
38%174,682,45890Banking
% of Total RecordsNbr. Of RecordsIncidentsIndustry
Risk Analysis
Top 10 Industries:Incidents with an unknown number of records affected.
3%10Telecomm
3%10Accounting/Tax/Audit/Payroll
6%18Other
6%18Government -Federal
6%19Government - Local
9%28Government -State
10%33Retail
12%38Medical
12%40Banking
15%48Education
Percent of TotalIncidents with
Unknown Number ofRecords Affected
IncidentsINDUSTRY
*Total of 324 incidents with unknown number of records affected.
Banking is highlighted in red to indicate it is an industry that is regulated by Federal privacy law (GLBA). One of the requirements ofGLBA is that the financial institution has an inventory of all non public information (NPI) and adequate security logs to identify whoaccessed NPI and when. This statistic is in essence stating that over the 5 year period there have been 40 reported breaches of GLBA.
Repeat Offenders6% of the organizations in the study had multiple data breaches.
Lost/Stolen laptops topped the repeated data breaches for thesame organization. 48 unencrypted laptops were lost/stolen by the 74 organizations that had
multiple data breaches during the same time period. Of the 48 laptops stolen, one had 28,600,000 records compromised. 4 Organizations had 3 separate incidents of Laptops lost/stolen over the 5
year period. Unencrypted laptops accounted for 37,441,939 (8%) records and 258 (19%)
of all reported data breaches.
IT Management often looks at hard drive encryption as cost per laptop expense.
Perhaps it should be viewed from a cost per customer perspective.(Cost of encryption / # of sensitive data records X # of laptops with sensitive data.)
Top 3 Root Causes by Industry
Education
Network
Security, 36%
Web Posting
Error, 16%
Laptop, 13%
Medical
Laptop, 26%
Paper, 16%
Physical
Security, 13%
Government - State
Laptop, 15%
Web Posting
Error, 13%
Paper, 13%
Government - Local
Web
Posting
Error, 23%
Laptop, 16%
Paper, 13%
Government - Federal
Laptop, 31%Physical
Security,
11%
Network
Security,
11%
You better cut the pizza in four piecesbecause I'm not hungry enough to eat six.
- Yogi Berra
Banking
Network
Security, 27%
Laptop, 16%
Paper, 16%
Trending upwardEmerging Threats?
0
5
10
15
20
25
30
35
40
45
50
2005 2006 2007 2008 2009
#o
fIn
cid
en
ts Paper
Insider
Mailing/Printing Error
Email error
Virus
January 2010 – April 201044% of the incidents are attributed to Emerging Threats
in 2005-2009 Data Analysis
111,444,608100%100%96Totals
27,0000.02%1.04%1Web Coding Error
3,9000%1.04%1Programming Error
2600%1.04%1Peer to Peer
409,2620.37%1.04%1Disposal of Hardware
3,0970%1.04%1Backup Tapes
6,2600.01%3.13%3eMail error
100,009,05389.74%4.17%4Web posting error
3,341,0693%5.21%5Portable Media
9,1740.01%6.25%6Virus
758,2500.68%8.33%8Mail/Printing Error
238,8650.21%9.38%9Laptop
94,4600.08%10.42%10Paper
1,483,4531.33%15.63%15Network Security
17,8200.02%15.63%15Insider
5,042,6854.52%16.67%16Physical Security
RecordsPercent ofRecords
%
Percent of Count
%CountRoot Cause
2009 Actual vs. 2010 Forecasted
20%288231Totals
0%33Web Coding Error
67%31Programming Error
33%32Peer to Peer
0%33Disposal of Hardware
67%31Backup Tapes
-22%911eMail error
-17%1214Web posting error
0%1515Portable Media
39%1811Virus
46%2413Mail/Printing Error
-30%2735Laptop
-30%3039Paper
7%4542Network Security
42%4526Insider
69%4815Physical Security
Projected %Change
(Forecasted)20102009
Root Cause
Could have, Should have, Would have, - Top 10’s
97.39%99.87%% of 5 Year Total
1,305456,443,266Totals for TopRoot Causes:
Web app vulnerability scans, Secure coding program, Ethical Hacks1232,169,060Web coding error
Degaussing and destruction of hard drives; Encryption1276,296,770Disposal of hardware
Timely Patches and up to date AV signatures. AV scanning e-mail. Website contentfilters. Endpoint protection.14100,073,262Virus
Logging and monitoring (At a minimum to identify who, how, and what.)205,598,145Unknown
Encryption299,266,569Backup Tapes
Outbound e-mail filters; e-mail encryption32710,469Email error
QC & Executive signoffs482,566,405Mailing/Printing Error
Encryption8326,677,497Portable Media
Proper vetting of employees and contractors, logging and monitoring and leastprivilege.8925,352,839Insider
QA & UAT1434,533,405Web posting error
Records Management, On-site shredding, imaging/shredding.1474,696,608Paper
Alarm system, badge/bio access, hard drive encryption, locked server racks / PCCabinets, and encryption1479,179,139Physical Security
Hard Drive encryption, physical chain locks25937,441,939Laptop
Timely Patches, Vulnerability Scans, Ethical Hacks, Complex password criteria,Hardened server/device builds, defense in depth, and encryption270121,881,159Network Security
CountermeasuresIncidentsNbr. Of
RecordsRoot Cause
Could have, Should have, Would have, - Bottom 2%
2.61%0.13%
35573,560Totals
WPA, restrict access2?Wireless
???280Fax error
SDLC2123Programming Error
Implement your security program on PDAs1851PDA
Inspection111,821Skimming
Implement your security program on Blackberries, I-Phones, etc.13,200SmartPhone
Security awareness training for employees, contractors, and customers14,000Phishing
Block it911,485Peer to Peer
Endpoint scanner for VPN access2117,000Public PC
Security awareness training for employees, contractors, and customers4435,000Social Engineering
CountermeasuresIncidentsNbr. of
RecordsRoot Cause
Conclusion of the Analysis
Trends from the 5 year study can be used to forecastemerging threats.
The use of encryption in protecting data in transit and at restcan make a security breach a non-event for customers andemployees.
Insider risk has been on the rise. Practice “least privilege” andmonitor insider activities.
If you are not doing the Security 101 things then all otherefforts are a waste.
The best IT Security can be trumped by poor physicalsecurity and poor records management.
Questions???
I wish I had an answer to that because I'm tired of answering that question.
- Yogi Berra
Appendix A - Definition of Root Causes
Network Security – If the description included any of the following terms:hacked, unpatched, server/device misconfiguration, password cracking, defaultsettings/passwords, server, router, firewall, database server.
Laptop – Any mention of laptop, lost or stolen. Paper – Any lost, stolen, or misplaced, ie. placed in dumpster. Physical Security – This dealt with the physical entry of premises and removing
computers and non-portable hard drives. Excludes laptops, paper, mobile media. Web Posting Error – Accidental/unintentional release of information via a
website. Insider – When breach was due to the illegal actions of an employee, consultant,
or student whom had some form of access to the data and abused thesystem/physical access.
Portable Media – CDs, DVDs, USB thumbdrives/flashdrives, external harddrives, floppy disk. He excludes backup tapes.
Mail/Printing Error - Accidental/unintentional release of information viaprinting and/or mailing data. ie. wrong addressee or information printed/viewableon outside of the mailing.
Appendix A - Definition of Root Causes
Email Error – Accidental/unintentional release of information via e-mail, ie.unintended addressee, wrong attachment, more data in e-mail than known bysender.
Backup Tapes – unencrypted backup tapes only. Virus – Any malware, virus, Trojan, keystroke logger, spyware. Disposal of Hardware – The discarding or selling computer equipment with
unencrypted hard drives that contain sensitive data. Web Coding Error – Website code inadvertently discloses sensitive data, SQL
Injection, Cross Site scripting, website authentication weakness, etc. Unknown – Organization knew that it had a data breach, but did not know the
cause. Skimming – The copying of data from the magnetic stripe on credit and debit
cards. Peer to Peer – Data disclosure via the use of file sharing software/websites.
Appendix A - Definition of Root Causes
Social Engineering – A malicious individual (non-insider) obtained sensitive datathrough trickery.
Fax Error – Data was either inadvertently sent to the wrong fax number, or moreinformation was faxed to the correct recipient than intended by the sender.
Programming Error (Backend) – Any breaches that were as a result of aprogramming issue with a backend processing application or as a result of a batchjob failure.
Public PC – Data breach as a result of data being saved on to Public PCs via e-mail downloads or data residing in temp files.
Wireless – A breach as a result of unsecure wireless transmission beingintercepted, or an individual accessing an organizations wired network as a resultof an unsecured wireless access point connected to the wired network.
PDA – Any breached involving lost/stolen PDAs having sensitive data stored onits hard drive.
Phishing – A breach that involved an individual opening a phishing e-mail/website.
Smartphone - Any breached involving lost/stolen smartphone having sensitivedata stored on its hard drive.
Appendix B – Definition of Industries
Banking – Banks, credit unions, credit card companies, and mortgage companies.
Medical – Doctors, pharmacies, hospitals, clinics.
Insurance – Any and all insurance companies.
Education – Daycare, preschools, public and private K-12 schools, technical/trade schools,colleges and universities.
Government – Local - City, town, county, township, boro, parish governments, and localpolice.
Government – State – Any of the 50 state governments including all state governmentagencies, departments and state police.
Government – Federal – The US Federal government including all Federal agencies,departments, and the military.
Accounting/Audit/Tax/Payroll – Public accounting firms, tax preparers, payroll serviceproviders.
Telecomm – Telecommunications companies including phone, mobile phone, ISPs, andcable companies.
Retail – Retail stores and restaurants
eCommerce Retail – Retailers whom are solely doing business online and have no physicalstorefront.
Brokerage – Stock brokers, brokerage firms, and mutual fund companies.