Lately not a day goes by without a major news story on cybercriminals, hacktivists, and spies.  These are generally viewed as the main threat actors behind the data breaches that we spend so much time — and budget — fighting. But what about Anne in Accounting, Sam in Sales and Paul in Production? While malicious attacks are certainly a significant problem and make for thrilling headlines, it’s mistakes made by people and systems that actually cause the majority of data breaches.

According to the 2013 Cost of a Data Breach study, negligence and system glitches together accounted for 64 percent of data breaches last year. These can include employees mishandling information, violations of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access.

The Symantec Internet Security Threat Report (ISTR) 2013 reveals how the threat landscape is evolving, compiling information from more than 69 million attack sensors in 157 countries around the world. This year’s report shows more targeted attacks, inceasing focus on smaller businesses, and the continued development of new threats.

Targeted attacks, hacktivism, and data breaches

Targeted attacks saw a 42 percent increase in 2012, to 116 per day on average, with a corresponding increase in data theft and incidents of industrial espionage. Attackers are changing their targets, as well. Small businesses make up a larger percentage of those targeted for attack then in 2011—a threefold increase–with 31 percent of all targeted attacks directed at companies with less than 250 employees. Attackers are finding valuable data to steal from small companies and fewer defenses in place to stop them. Manufacturing is now the most targeted business sector, making up 24 percent of targeted attacks. One of the most significant innovations in targeted attacks is the emergence of watering hole attacks. The attackers compromise the security of a website that an intended target is likely to visit, once the target visits the website their computer becomes infected with malware. This successful tactic, popularized by a group known as the Elderwood Gang, has infected up to 500 companies in a single day.

In the public wave of attention to Stuxnet, we have seen the capability of how physical systems are impacted by malicious threats.  But threats to hardware are not limited to Industrial Controls Systems (ICS); other potential targets are networking equipment, computing hardware and telecom.  When protecting our organizations, we should always make sure we are covering all of our bases.  Sometimes this means protecting and auditing the hardware itself that is responsible for our communications and processing.  In recent years we have seen other examples of compromised hardware resulting from process or personnel within a supply chain.  Computing hardware being shipped with malware stored in nonvolatile memory.  Hardware that has covert secondary channels or devices to communicate or store confidential data or a device may contain something as simple as a backdoor login.  All of these examples are possibilities that can be introduced into the Supply Chain during the manufacture, assembly or shipping of equipment.  This is just a small glimpse of what is possible when dealing with threats that can be embedded in hardware.
This exposes several possible risks:

I frequently present on security threats and the Symantec Internet Security Threat Report.  There are many great statistics from the current report, 403M unique variants of malware, 5.5B web attacks blocked, 4,597 web attacks per day, etc.   I frequently describe the different types of attackers, Malicious Outsiders, Insiders, Organized Crime, etc.  The question that is frequently posed after the presentation is “How big of a target are we?”

Many security professionals are looking for the input to the risk formula for the probability of being attacked by one of the attacker types.  Unfortunately, this hard quantitative data does not exist, we can only do our best to estimate it based upon the data and information we have about the current threat landscape, as well as industry and company trends.

Can data breaches be stopped, really? This was the question posed by Larry Ponemon, chairman and founder of the Ponemon Institute, at the start of a panel discussion I attended at the RSA Conference last month. Experts on this panel seemed to agree on one answer – No.

The tongue-in-cheek response from James Christiansen, Evantix CEO and CISO, brought a room full of laughter when he said, “Yes, you just need to put the computer in a safe and bury it 30 feet underground.”

Jon Oltsik, an analyst at Enterprise Strategy Group, equated the situation to the war on drugs, “Border control may be able to capture some on the borders, but the problem continues to escalate and keeps getting bigger.”   John Townsend, Manager of Information Protection and Security, DTE Energy commented, “If we use the wall analogy, rather than having a brick fence what we now have is a chain link fence. While we have made some inroads, people are still not taking security seriously enough.”

The past year was a whirlwind of high-profile data breaches. There were nearly 900 data breaches in 2011, more than the prior two years[i], with over 31 million records breached[ii]. And, as the number of reported breaches continued to rise, organizations still paid a hefty cost for data breaches, according to this year’s Cost of a Data Breach Study. The organizational cost of a data breach was $5.5 million last year, and the cost per lost or stolen record was $194.

Let’s dive into some of the more interesting findings from this year’s study.

Malicious Attacks Most Costly Breaches

Malicious or criminal attacks are causing almost as many breaches as negligent insiders. In 2011, negligence was the root cause of 39 percent of the data breaches, while malicious attacks caused 37 percent of data breaches (up 6 points from 2010). For the first time malicious attacks account for more than a third of breaches; they also remain the most costly type of breach at $222 per compromised record.

A couple weeks ago, a preview for a new movie by a famous actor playing himself as both the lead man and woman caught my attention. I like this actor and his movies are pretty funny, but it got me thinking…How many of these same movies have there been in the past with just a slight variation? How many people have paid to see, rent or own roughly the same movie with some alterations to make it seem new – either the actors change, the motivation for the characters change, the plot is slightly different? And, if this happens with movies then what about TV, music and books? I continued to ponder this, then it hit me that the same can be said for most of these art forms. We’ve seen countless TV shows about a group of friends living in close proximity to each other sharing life’s events, songs with the same message or similar notes and rhythms, books about spies, double crosses, wizards, vampires, but the stories all have strong commonalities.

The Internet has grown to be one of the most important information and business conduits the world has ever seen.  While it’s brought us amazing, new capabilities over the past 15 years or so, the Internet comes with its downside.  Much like the days when America was stretching itself from the east to the west, the “wild west” was a ripe playground for “bad” people. The same goes for the Internet.

It is a double-edged sword. We have amazing capabilities, but also a perfect landscape for lawlessness.  Hackers and cybercriminals have taken note. Today, they leverage the Internet to target specific individuals or groups of individuals at specific companies, get them to react to an email message thereby directing them to an attacker’s site and silently download malware to begin the process of gaining access and stealing data or IP.  What’s more, they’re automating their attacks. Sophisticated attackers are leveraging the power of scripting tools and computing power to call together vast amounts of computers to aide in perpetrating automated attacks.

(Cross-posted from Symantec Connect)

I believe that we have reached a saturation point.  You know how, after heavy rain, the ground can’t absorb any more water and it begins to pool on the ground? We’ve reached that point with security incidents.

The bad guys just can’t pump out new malware any faster. Check out the Norton Cybercrime Index.  The trends for 2011 are pretty much flat. The explosive growth in malware we’ve seen in the previous 10 years is just not sustainable. Maybe new hacker tools will come along, new propagation methods, or more platforms, or more people to infect.  But for now, things are beginning to stagnate.

This is not to say the problem is going away.  There were 286M new malware variants in 2010. 286 million! But even that mind-blowing number reflect a slow down.  It’s more than the year before, but not the 100% increase we’ve reported in previous years.  It’s not like the growth we use to see.

A news article in the New York Post provides a cautionary tale of one of the many reasons properly securing home wireless networks is more than just a good idea. While the story is interesting and makes for good press, it merely scratches the surface of why companies and individuals need to pay a lot more attention to the security of home wireless networks.

While unauthorized use of an individual’s Wi-Fi network to commit serious crimes can put innocent people in the crosshairs of criminal investigations, the implications for the protection of corporate data are significant as well.  If an attacker gains access to a person’s wireless network, corporate systems (i.e corporate-owned laptops and/or desktops) connected to that network can be easy points of compromise and data loss.