Hackers motivated by political and social agendas were responsible for more stolen data than any other group last year, according to Verizon's 2012 Data Breach Investigations Report (DBIR), which was released earlier today. Although organized crime groups continued to lead the way in the total number of breaches, the most significant development in 2011 was the arrival of hacktivism as potent force in the threat landscape, according to the report.
The DBIR is an incident-based report derived from actual security breaches in which Verizon's RISK (Research Investigations Solutions Knowledge) team was retained by the victim company to help identify the source and to determine the full extent of the information losses.
Verizon's research shows that hacktivism represents an unconventional adversary that is capable of employing sophisticated techniques to achieve its activist goals. According to the report, hacktivists were responsible for 58 percent of all data stolen in 2011 -- over 100 million records in all. Furthermore, hacktivists were almost exclusively focused on targeting larger organizations: The study ascribed hacktivist motives to 25 percent of external attacks on large organizations, but that number fell to just 3 percent when looking at organizations of all sizes.
"For the first time ever, hactivist groups stole more data than anyone else in 2011 and by a considerable margin," Bryan Sartin, vice president of the Verizon RISK Team said during a press conference call. "We're no strangers to hacktivism, we have seen it and we've tracked it for years, but it has never been apparent in numbers great enough to make that threat truly quantifiable."
Another unique aspect of hacktivist attacks: More than 50 percent of the victims knew that they were going to be attacked in advance, according to Verizon. Sartin noted that some organizations knew the pending attack would occur within a 6 to 12-hour window.
"Hacktivism clearly has the earmarks of a threat that is here to stay, and it may well be the top criminal motivation in the next year -- both in terms of number of breaches and records stolen," Sartin said.
Hacktivism-based attacks use multiple types of attack vectors to breach a victim organization. In contrast to financially-motivated attacks that focus solely on gaining access to information that can be sold on the black market, hacktivists have the flexibility of choosing from hundreds of different ways to achieve their goals.
"They are out there for retaliation or to damage a brand," Sartin said. "It could be anything from Denial of Service (DoS) against a website to conventional intrusion into mail, HR, or financial data."
While DoS attacks are often though of as the primary vector for hacktivism, Sartin cautioned that many attacks are more complex.
"For a large percentage of the investigations we conducted, the DDoS attacks were in fact diversionary tactics," Sartin said. Oftentimes, the main thrust of the attack was actually occurring elsewhere, taking advantage of the fact that the target organization's security resources were busy dealing with the DoS attack.
"A lot of times we're brought in afterwards and the organization thinks they did what was necessary to focus on mitigating the very obvious and easy-to-detect DDoS attack," Sartin said. "Then they find out afterwards that sensitive executive email has been splashed all over the Internet."
How to Avoid Attack
The good news -- or bad news, depending on how you look at it -- is that virtually all of last year's attacks could have been prevented. In fact, Verizon's report noted that 97 percent of all attacks were avoidable through simple or intermediate controls. The key to prevention, Sartin noted, is good security "hygiene."
"Simple things like, when you put technology out on the Internet, make sure you change the default passwords," Sartin said. "Don't put your database where you store all your sensitive data on the web server that physically sits on the Internet."
In Sartin's view, a lot of good security hygiene also comes down to the concept of "security by obligation." That is, organizations are often the most secure immediately after they have completed a compliance-related assessment. As time goes by after that assessment, what often happens is that things fall into disrepair and aren't as secure.
"Much of this is security common sense, but in larger environments we're still dealing with the fundamental problem where most of the data that is stolen in data breaches comes from sources of data the victim companies don't know they have," Sartin said.
The report highlighted several high-level recommendations around security best practices. For smaller organizations, Verizon recommended implementing a firewall or access control list (ACL) on remote access services, and changing default credentials of point-of-sale (POS) systems and other Internet-facing devices. Larger organizations should consider eliminating unnecessary data and closely monitor the data that is retained, regularly check that essential controls are met, and monitor and mine event logs.
Other notable statistics from the report include:
- 94 percent of all data compromised involved servers;
- 85 percent of breaches took weeks or more to discover;
- 92 percent of incidents were discovered by a third party.