Report Claims Most Security Breaches Aren't Discovered Until Months Later

It takes most public- and private-sector organizations weeks or even months -- not days or hours -- to discover that their networks have been breached by outside forces, according to a report released by the Verizon Business Risk Team. And even then, the breach is discovered by a third party and not the organization itself. The report also claims that nine out of 10 of these breaches could have been prevented had the agencies implemented common security protocols.

The 2008 Data Breach Investigations Report, released in June, compiles data from more than 500 forensic cases handled by the Verizon Business Response Team from 2004 to 2007. These cases comprise those that were publicly disclosed and those that weren't -- more than 230 million records in all. The average number of records per breach was approximately 1.2 million. The median was lower at 45,000, indicating a skew in the data toward larger breaches.

The report contains some eye-opening findings about the nature of breaches and who's behind them:

• It was months before 63 percent of infiltrated organizations knew they had been compromised, weeks for 18 percent, days for 14 percent, hours for 3 percent and years for 2 percent. In 64 percent of cases, it only took hours or days to compromise systems after the first point of entry.
• Seventy-three percent of data breaches came from external sources, 18 percent were caused by insiders, 39 percent implicated business partners and 30 percent involved multiple parties.
• Some form of error -- in 62 percent of cases -- either directly or indirectly contributed to a breach, 59 percent resulted from hacking intrusions and 31 percent incorporated malicious code.
• Sixty-six percent of breaches involved data that the victim organizations didn't know existed, 75 percent of breaches were discovered by a third party and not someone in the victimized organization, 85 percent of breaches were opportunistic attacks and 87 percent were considered avoidable through reasonable controls.
• When hacking occurred, 39 percent of attacks targeted the application/service layer, 23 percent targeted the operating system/platform layer, 18 percent exploited a known vulnerability, 5 percent exploited unknown vulnerabilities and 15 percent of hacking breaches showed evidence of re-entry via backdoors.

Bryan Sartin, the head of investigative response at Verizon Business, said that when organizations start working to remedy this type of damage, the companies often find out that they had more systems that were hacked into than they first realized. Sixty-six percent of breaches involved data that organizations didn't know they had.

He offered this example: When a company gives Verizon a short list of five or six systems that must be hacked in order for data to be compromised, "What happens is, inevitably, we plug into their network to substantiate the data they've given us," he said. "It's not six. It's 16 or 26 systems."

Verizon produced the report to inform readers about breaches and help spur them into thinking more strongly about security and how to implement it.

"You tend to hear about the company that was hacked and the people who were affected. You hear about the data types that are taken, but you never really hear about what it was that the company did wrong: What are some of the hard lessons learned? What are things that other companies could understand about that that would help to keep them out of the headlines themselves?" he said.

The report also contains recommendations for improved security. They include:

• Adhere to established policies. In 59 percent of cases, established security procedures in place weren't implemented.
• Don't forget about basic security measures in the pursuit of excellent ones. Eighty-three percent of breaches came from attacks that weren't hard to pull off.
• Stay on top of event logs. In 82 percent of cases, evidence existed of events leading up to the breaches before the compromise actually occurred.
• Simulate actual breaches. Verizon recommends routine, mandatory incident response training that will keep IT personnel on top of proper security protocols.

"I would say there's a lot you can learn from the victims here," Sartin said. There are a handful of fundamental problems that occur in many of the cases, which contributed to the breaches, he said.