285 Million Records Compromised in 2008 During 90 Breaches

The 2009 Data Breach Investigation Report (PDF) is a study conducted by the Verizon Business RISK team, which analyzed 90 data breach cases that were confirmed in 2008. In addition to the astounding number of 285 million compromised records, the investigation revealed other interesting aspects as well, several of which conflict with some widely held beliefs.

One of the most intriguing aspects revealed by the compiled data is that most of the breaches have been caused by external parties (74%). The number of breaches that have resulted exclusively from the actions of insiders is still significant (20%), but is much lower than what many security professionals constantly claim. Incidents where business partners have been involved are also on the drop, accounting for 32% of the total, which is 7% lower than the previous estimate.

And if anyone was still doubting this, the vast majority, 91 %, of all analyzed breaches were linked to organized criminal groups. "In the more successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data. 98 percent of all records breached included at least one of these attributes," the report reads.

There's also some info that the contestants of the payment card industry's security standard won't like very much. The report claims 81% of victims were not PCI-DSS-compliant, suggesting that being in compliance with this standard is vital for businesses dealing with financial records, which also happened to be the most targeted ones.

The Verizon Business RISK Team points out that testing and reviewing code is critically important, because Web applications and remote control software represented the point of entry in most of the cases, while the SQL injection was the preferred attack vector.

Some other recommendations were also made, based on the findings outlined in this report. They include, but are not limited to, changing default credentials (another common attack vector), avoiding shared credentials, constantly reviewing user accounts and their privileges, comprehensive patching, disabling accounts when employees are terminated or enabling monitoring and logging at the application level and not just server- or network-wide.

"The increasingly targeted and sophisticated attacks often occur to organizations storing large quantities of data valued by the criminal community. Organizations should be prepared to defend against and detect very determined, well-funded, skilled and targeted attacks," the Director of the SANS Internet Storm Center (ISC), Marcus H. Sachs, commented.