Categories: Security

Rapid 7, analysis on data breach incidents

Security Firm Rapid 7 has published an interesting analysis on government data breach reported from January 1, 2009 to May 31, 2012. The document present a worrying scenario in which 268 incidents exposed more than 94 million records containing sensible information. This type of incident is really dangerous due the nature of information exposed that could represents the starting point for further attacks. Marcus Carey, security researcher at Rapid7, declared:

“Our analysis puts a spotlight on the need for improved security operations and testing. It also analyzes specifc threats that government entities are facing, because knowing these threats is key to be able to reduce risk.”

In US all states have adopted laws requiring that companies victims of incident to notify information to their customers in order to proper response to the event. Recently, Senate Republicans have introduced draft legislation known as the “Data Security and Breach Notification Act of 2012 (S.3333)” to propose a national recognized procedure to respond to data breaches. Governments networks are privileged targets for several type of attackers, foreign state-sponsored hackers, hacktivists and cyber criminals, and in every cases the principal objective is cyber espionage, are increasing in fact the attacks to expose government information or to steal intellectual properties in critic sectors such as the defense. The Report of Rapid 7 has been published few days after the publication by Symantec of the document on the “Elderwood project” that describe the ongoing impact of cyber espionage operations and attacks part of the famous Op. Aurora.

2010 was the year with the high number of incidents publicly reported, a number three times higher of the number of incidents reported in the first half of 2012.

Despite 2010 was the year with highet number of incidents, the major number of records exposed is related to 2009, in particular in the month of October 2009 76 million US veterans’ personally identifiable information (PII) was exposed after a defective hard drive was sent to a government vendor for repair and recycle before the data was erased.

The Report proposes the division of data breaches in the following categories:

Unintended disclosure – Sensitive information posted publicly on a website, mishandled, or sent to the wrong party via email, fax, or mail.
Hacking or malware – Electronic entry by an outside party, malware, and spyware.
Insider – Someone with legitimate access intentionally breaches information – such as an employee or contractor.
Physical loss – Lost, discarded, or stolen non-electronic records, such as paper documents.
Portable device – Lost, discarded, or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc.
Stationary device – Lost, discarded, or stolen stationary electronic device such as a computer or server not designed for mobility.
Unknown or other.

The following graph shows the incidence of the Unintended Disclosure and Hacking of the total number of incidents, in both cases it is a growing trend.

Going in the details of the data proposed by Rapid 7, the number of incidents and reported PII records exposed during the period of observation are:

Unintended disclosure – 78 incidents exposing 11,783,776 records
Portable device – 51 incidents exposing 80,706,983 records
Physical loss – 46 incidents exposing 296,710 records
Hacking or malware – 40 incidents exposing 1,082,749 records
Insider – 39 incidents exposing 177,399 records
Stationary device– 6 incidents exposing 250,650records
Unknown or other – 8 incidents exposing 5,906 records

The data proposed in my opinion demonstrate that this type of incidents could be sensibly reduced with an opportune awareness campaign, as seen a great number of incidents is related to misconduct of users, that not intentionally, apply an adequate protection to their data. Excluding hacking attacks made by foreign governments and cyber criminals that exploit 0-days vulnerabilities, with the definition of best practices and the adoption of a behavior compliance to the current standard in matter of security it is possible to avoid data breach incidents, or at least reduce the number of exposed information. That consideration is an imperative in government environments to avoid dramatic incidents that could expose homeland security.

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.