Hacktivists, Not Profiteers, Stole Most Data in 2011

Cyberattacks carried out by hacktivists — hackers motivated by political reasons — shot up in 2011, accounting for 58 percent of the data stolen in cyberbreaches, according to Verizon.

The company’s 2012 Data Breach Investigations Report also stated that 79 percent of the attacks were opportunistic, meaning they were carried out because an opportunity presented itself, rather than being planned.

Overall, the report indicated that it was very easy to launch a successful attack and that most of the breaches were avoidable.

Verizon’s finding that hacktivism is on the rise echoes that of Arbor Networks, which announced a similar conclusion in its 7th Annual Worldwide Infrastructure Security Report, issued in February.

“I imagine [the trend] will continue,” Chris Porter, managing principal on the Verizon Risk team and one of the authors of that company’s report, told the E-Commerce Times. “In the long run, though, we think that law enforcement’s actions will temper the trend.”

More on Verizon’s Findings

Verizon reported that 96 percent of the attacks were not highly difficult, not requiring advanced skills or extensive resources. It also found that 97 percent of the attacks could have been avoided without the need for difficult or expensive countermeasures.

Breaches originated from 36 countries worldwide, up from 22 countries in 2010. Less than 25 percent originated in North America, and nearly 70 percent originated in Eastern Europe. That means China, often seen as a cybersecurity bugbear, played a very minor role in 2011 despite reports to the contrary.

External attacks were responsible for 98 percent of the breaches. These included hacks by organized crime, activist groups, former employees of organizations that suffered attacks, lone hackers and government-sponsored breaches. The proportion of breaches attributable to insiders continued to fall, to 4 percent for 2011.

Hackers were responsible for 81 percent of the data breaches as compared with 50 percent in 2010. Hackers accounted for 99 percent of the data stolen.

Malware was responsible for 69 percent of the breaches in 2011 as compared with 49 percent in 2010. Malware accounted for 95 percent of the records compromised.

Verizon found that it takes months, or even years, before breaches are discovered, and that third parties detected 92 percent of breaches.

Why Hacktivists Succeed

The rise of hacktivism is relatively new, and “many businesses have not adjusted to this new reality and the implications for the threat landscape,” Rob Malan, cofounder and chief technology officer of Arbor Networks, told the E-Commerce Times.

Many of the hacktivist attacks used the distributed denial of service (DDoS) technique. This essentially brings down a network by flooding it with requests.

“What we saw in 2011 was the democratization of DDoS,” Malan said. There’s been an “explosion of inexpensive and readily accessible attack tools … enabling anyone to carry out DDoS attacks.”

In some cases, businesses haven’t done anything to adjust, while in others, they have redeployed existing devices such as firewalls and intrusion prevention services, which aren’t designed to stop DDoS attacks, Malan pointed out.

“Fundamentally, the tools for internal enterprise security haven’t advanced in the past decade,” Malan stated. “We’re using the same tired technology and practices from 1999 — firewalls, intrusion detection and prevention systems, and logfile collection. The most they collectively do is raise the bar on the effort and skill needed to penetrate an enterprise. Unfortunately, that bar is still not very high.”

Is IT Security Asleep at the Wheel?

Some years ago, IT had to batch download enterprise system logs weekly, print it out and then go through reams of reports manually, which provided some excuse for slow detection of breaches. However, automated log tracking software, which can provide real-time indications of breaches, has been around for quite a while. So why does it still take months or even years before breaches are detected?

“We believe this has a lot to do with a lack of time and resources,” Verizon’s Porter said. “Many smaller organizations don’t have the resources to perform this sort of detection.”

Also, automated logging and tracking software isn’t as prevalent in the enterprise as other types of security software, such as antivirus or firewalls, independent security consultant Randy Abrams pointed out. Even when it is available, “there must be sufficient resources to monitor the output of the tools,” and funding of such resources is still an issue.

Further, the speed of detection is also partly data dependent, Porter said.

For example, there are two components to the delay in detecting credit card data theft, he said. The first is the time between when the credit card data is stolen and when it’s actually fraudulently used. The second is the time between the first fraudulent use and when this is detected by banks.

It’s much more difficult to detect intellectual property breaches because “there is no fraud algorithm to help detect this type of breach,” Porter added.

The Art of Cyber Self-Defense

Verizon recommends that enterprises evaluate their threat landscape and use the findings to create a customized prioritized security strategy.

Enterprises should eliminate unnecessary data and monitor all important data that must be retained, Verizon said. They should also establish essential security controls and monitor these regularly.

Further, enterprises should focus on event logs, monitoring and mining them for suspicious activity.

Small organizations should use firewalls, change default credentials especially with point-of-sale (POS) systems, and monitor third parties that manage firewalls and POS systems, Verizon said.

Like law enforcement, security pros are most successful when nothing happens.

“Cybersecurity professionals … cannot prove how much money they’ve saved a company by preventing an untold number of attacks,” Abrams said. On the other hand, “it’s very easy to quantify how much money was spent on security,” Abrams said. “As a result, businesses often see a cost that they’re unable to associate with a tangible benefit.”