Pierluigi Paganini September 11, 2012

Security Firm Rapid 7 has published an interesting analysis on government data breach reported from January 1, 2009 to May 31, 2012. The document present a worrying scenario in which 268 incidents exposed more than 94 million records containing sensible information. This type of incident is really dangerous due the nature of information exposed that could represents the starting point for further attacks. Marcus Carey, security researcher at Rapid7, declared:

“Our analysis puts a spotlight on the need for improved security operations and testing. It also analyzes specifc threats that government entities are facing, because knowing these threats is key to be able to reduce risk.”

In US all states have adopted laws requiring that companies victims of incident to notify information to their customers in order to proper response to the event. Recently, Senate Republicans have introduced draft legislation known as the “Data Security and Breach Notification Act of 2012 (S.3333)” to propose a national recognized procedure to respond to data breaches. Governments networks are privileged targets for several type of attackers, foreign state-sponsored hackers, hacktivists and cyber criminals, and in every cases the principal objective is cyber espionage, are increasing in fact the attacks to expose government information or to steal intellectual properties in critic sectors such as the defense. The Report of Rapid 7 has been published few days after the publication by Symantec of the document on the “Elderwood project” that describe the ongoing impact of cyber espionage operations and attacks part of the famous Op. Aurora.

2010 was the year with the high number of incidents publicly reported, a number three times higher of the number of incidents reported in the first half of 2012.

Despite 2010 was the year with highet number of incidents, the major number of records exposed is related to 2009, in particular in the month of October 2009 76 million US veterans’ personally identifiable information (PII) was exposed after a defective hard drive was sent to a government vendor for repair and recycle before the data was erased.

The Report proposes the division of data breaches in the following categories:

1. Unintended disclosure – Sensitive information posted publicly on a website, mishandled, or sent to the wrong party via email, fax, or mail.
2. Hacking or malware – Electronic entry by an outside party, malware, and spyware.
3. Insider – Someone with legitimate access intentionally breaches information – such as an employee or contractor.
4. Physical loss – Lost, discarded, or stolen non-electronic records, such as paper documents.
5. Portable device – Lost, discarded, or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc.
6. Stationary device – Lost, discarded, or stolen stationary electronic device such as a computer or server not designed for mobility.
7. Unknown or other.

Going in the details of the data proposed by Rapid 7, the number of incidents and reported PII records exposed during the period of observation are:

1. Unintended disclosure – 78 incidents exposing 11,783,776 records
2. Portable device – 51 incidents exposing 80,706,983 records
3. Physical loss – 46 incidents exposing 296,710 records
4. Hacking or malware – 40 incidents exposing 1,082,749 records
5. Insider – 39 incidents exposing 177,399 records
6. Stationary device– 6 incidents exposing 250,650records
7. Unknown or other – 8 incidents exposing 5,906 records

The data proposed in my opinion demonstrate that this type of incidents could be sensibly reduced with an opportune awareness campaign, as seen a great number of incidents is related to misconduct of users, that not intentionally, apply an adequate protection to their data. Excluding hacking attacks made by foreign governments and cyber criminals that exploit 0-days vulnerabilities, with the definition of best practices and the adoption of a behavior compliance to the current standard in matter of security it is possible to avoid data breach incidents, or at least reduce the number of exposed information. That consideration is an imperative in government environments to avoid dramatic incidents that could expose homeland security.

Pierluigi Paganini