Verizon 2014 Data Breach Report: The Bad Guys Are Winning

Organizations are falling asleep at the wheel, failing to proactively monitor or properly configure existing security systems and address common weaknesses being targeted by cybercriminals, say incident responders, investigators and other experts at RSA Conference 2014.

Over the past 10 years attackers have cut the time it takes to compromise a system, according to a preview of the Verizon 2014 Data Breach Investigations Report, which highlights hundreds of breaches throughout the year and about a decade worth of security incidents to spot significant trends.

The time it takes for an attacker to compromise a system in three-quarters of breaches is days or less, according to the analysis. But less than 25 percent of breaches are discovered in days or less, said Wade Baker, creator and principal analyst of the Verizon 2014 Data Breach Investigations Report.

[Related: Investment In Data Breach Responders Lacking, Study Finds ]

’This is not a good situation,’ Baker said. ’If this is the 10-year study of where we’ve come, the bad guys are winning at a faster rate than the good guys are winning and we’ve got to solve that; we’ve got to do something different.’

At an event held for press and analysts Tuesday at the RSA Conference, a panel of experts discussed the trends uncovered in the Verizon report. The report combines Verizon’s case load with data from public and private organizations, including the U.S. Secret Service, the United States Computer Emergency Readiness Team (US-CERT) as well as international law enforcement agencies and incident response teams. Verizon said it added 50 new contributors of breach information, including forensics providers, global services firms and other security vendors.

The recent massive Target data breach has placed a spotlight on a wave of retail data breaches, believed to be connected to the same cybercriminal organization, experts said. The Target breach was carried out by attackers in the U.S. and abroad, said Ed Lowrey, deputy special agent in charge at the U.S. Secret Service. Lowrey said attackers are well organized, use sophisticated tools and plan their attacks carefully.

’These are professional criminals that study their future victims; they are looking for the vulnerabilities they can exploit,’ said Lowrey. ’The actual intrusion happens very, very quickly, but the work they do ahead of time does not necessarily happen that quickly.’

NEXT: Security Models Are Broken, Experts Say

The 2014 Verizon report found that more than three-quarters of initial attacks breaching a corporate network were relatively easy to carry out. The report consistently found that lost or stolen passwords were at the core of the majority of breaches examined by investigators. Cybercriminals use phishing or drive-by attacks to target their victims or simply probe a network remote-access service for default passwords and vulnerabilities to gain initial access, the report found.

Security models at organizations are broken, said Eddie Schwartz, a security industry veteran who heads Verizon’s security and cyberintelligence practice. Cybercriminals don’t have to do much innovating to gain access to business networks and steal sensitive data, Schwartz said. For example, cybercriminals in the Target retail breach used memory-scraping malware, malicious code that has been available since 2009.

Businesses are led down the path of buying more security products, layering on additional capabilities to detect threats, but that hasn’t done much to improve security capabilities, Schwartz said.

’For too long in this industry, vendors of security technology have been encouraging people to create these incredibly complex and difficult environments,’ Schwartz said. ’Large-scale data analytics, intelligence fusion, tracking of criminal activity and understanding things like network segmentation, incident response and forensics is difficult. To think that all these organizations can do what the largest banks or defense contractors can do is an impossible scenario, and we have to stop thinking that way in this industry.’

It’s not a one-size-fits-all approach, said Dave Kuhn, cybercrime, detection and prevention manager at Cincinnati-based U.S. Bank. Kuhn said U.S. Bank proactively monitors logs, analyzing systems and threat streams to detect anomalies that could indicate cybercriminal behavior. Kuhn said it doesn’t necessarily take a data scientist to spot suspicious file transfers, just someone who is alertly monitoring for the activity.

’We try to understand our data as a whole to know our threat landscape and where our value assets are so we can then understand what an anomaly is in our environment,’ Kuhn said. ’For us it really is about doing that big data, crunching it down and knowing what our baseline is to detect a suspicious activity in our environment.’

PUBLISHED FEB. 26, 2014