Hacktivism was the leading cause for compromised data in 2011, says Verizon

Over 100 million records were compromised as a result of hacktivism in 2011, according to a Verizon study

More than half of data stolen from companies in 2011 was a result of hacktivist actions, even though the majority of data breaches were still caused by financially motivated cybercriminals, Verizon said in its 2012 Data Breach Investigations Report released on Thursday.

The report spans 855 data breach incidents investigated by the company and several law enforcement agencies -- the U.S. Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police. These incidents resulted in a total of 174 million compromised records, the second-highest volume of compromised records since Verizon began compiling data breach statistics in 2004.

Up to 98 percent of data breach incidents covered by the new report were caused by external agents and the vast majority of them, 83 percent, were organized criminal groups.

Hacktivists were responsible for only 3 percent of data breaches. However, they had the biggest impact in terms of compromised records, over 100 million of the total of 174 million.

One explanation is that financially motivated cybercriminals tend to target small and medium-size organizations and are looking for particular types of data, while hacktivists primarily target large organizations and grab anything they can get their hands on, from customer records to internal emails, said Bryan Sartin, vice president of the Verizon Research Investigations Solutions Knowledge (RISK) team.

A decrease in the sophistication of attacks launched by financially motivated cybercriminals has also been observed, most of them becoming repetitive in nature, Sartin said.

Meanwhile, hacktivists are more unpredictable. They employ more-sophisticated techniques like DNS tunneling and use diversionary tactics, such as distributed denial-of-service (DDoS) attacks. "There's a different landscape for hacktivism, that's for sure," Sartin said.

The data breach expert is "cautiously pessimistic" about hacktivist attacks decreasing in number or impact in 2012, despite the multiple hacktivism-related arrests made by law enforcement agencies worldwide in recent months.

The origin of external attacks is different depending on the size of the targeted organizations. In 67 percent of cases for the entire set of data breaches, the origin was Eastern Europe.

However, when looking only at large organizations with over 1,000 employees, the percentage was much lower -- 27 percent. In 47 percent of cases, external attacks against such organizations originated from North America.

Out of the 885 incidents included in the report, 81 percent included some form of hacking and 69 percent included malware activity; 61 percent included a combination of both.

In the vast majority of cases that involved malware the remote attackers installed it after they obtained unauthorized access to the organization's network or systems. The most prevalent type of malware used in these attacks falls into the spyware category and includes keyloggers and Web form grabbers.

However, even though the use of spyware was predominant, this type of malware resulted in a lower number of compromised records than backdoors, which were seen only in 20 percent of incidents. Over 90 percent of known record loss is associated with attacks that use backdoors, the report said.

As far as hacking methods go, the exploitation of default, guessable, or stolen login credentials is by far the most common one. SQL injection, which is generally considered a popular hacking technique, was only seen in 3 percent of data breach incidents.

Login credentials for remote access services like Microsoft's RDP or VNC were exploited in 88 percent of data breach incidents that involved hacking. This suggests that such services are widely used in corporate environments and are often easy to access by attackers, which makes the recent disclosure of details about a remote code execution vulnerability in Microsoft's RDP service even more worrying.

In terms of compromised assets, 64 percent of data breach incidents involved compromised servers and 60 percent involved compromised user devices. However, the majority of stolen records were stored on compromised servers, particularly Web/application and database ones.

In light of the growing trend to move corporate infrastructure into the cloud, it's worth mentioning that cloud-related data breaches are still almost non-existent. "We're seeing very little evidence of data breaches in the cloud," Sartin said. "There's a compelling lack of statistics for that."

Verizon's recommendation for small and medium-sized organizations is to deploy firewalls on Internet-facing services and to change the default credentials of point-of-sale (POS) and other systems to prevent unauthorized access. Organizations that outsource their technical support to other vendors, should ensure that those vendors follow these recommendations too.

Large enterprises should eliminate unnecessary data, monitor and mine event logs for suspicious activity and establish essential security controls, Verizon said.

Join the CSO newsletter!

Error: Please check your email address.

More about Australian Federal PoliceetworkFederal PoliceMicrosoftSKVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place