jump to navigation

(UPDATE)-“Interesting” Logic & Analysis – Verizon’s 2012 Data Breach Report April 17, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, terrorism.
Tags: , , , , , , , ,
trackback

I received a very insightful comment from one of the Verizon authors and thought it prudent to share. I think this explanation is very helpful for companies looking at infosec controls.  Here it is, in part(emphasis added): “You make a valid point about the fact that a determined attacker would simply try again if the first attempt failed. However, our finding that most breaches are avoidable through relatively simple controls doesn’t overlook this as you suggest. Our data show that most criminals aren’t determined to breach a particular victim and likely won’t try again if met with decent resistance. In fact, the extreme opportunistic nature of target selection means they likely won’t even be attacked w certain controls in place because automated probes will skip on down the street after jiggling the door handle a bit.  You can read the full comment, in ‘comments’.  The entire post is you continue reading.

Let me start by staying I am a fan of Verizion’s annual data breach report. Some of the information is very insightful.  That being said, there are some flawed assumptions made by the authors and others who analyze the reports.  This, I believe, is a function of “Techies” venturing into unknown waters of decision science and other areas.  Here are two examples:

“As in previous years, Verizon has found that most cyberattacks were avoidable if network managers followed best practices for information security. Verizon said that 96% of attacks were “not highly difficult,” and 97% of attacks were avoidable through “simple or intermediate controls.” (emphasis added)

This type of analysis is similar to using the Rational Actor model as a predictive tool.  You cannot make assumption on whether the crime would or would not have been avoidable based upon an understanding of how it occurred.  The fact that the criminal took the path of least resistance does not suggest that  they would not have been successful if more robust controls were in place.  A more accurate, and responsible statement would have been to say: “The level of difficulty would have increased in the identified attacks through more advanced controls.  It is believed that the result would have been fewer successful attacks as the cost/benefit calculation would have changed for the criminal.  This does not account for an increase in attacks against other companies due to substitution effect.”

Consider a situation in which you come home to find your house had been burglarized and the criminal had broken a window to enter the house.  In discovering that the window and not a door was the avenue into the house it would not be logical to look at the attack in hindsight and say: “If we had stronger windows the burglary would not have happened.”  The burglar, if the motivation was high enough, would have simply looked for another way into the house. 

An author for CSOonline summarized a part of the report as such: “Hacktivists – not cybercriminals – were responsible for the majority of personal data stolen from corporate and government networks during 2011, according to a new report from Verizon. The Verizon 2012 Data Breach Investigation Report found that 58% of data stolen in 2011 was the result of hactivism, which involves computer break-ins for political rather than commercial gain. In previous years, most hacking was carried out by criminals, Verizon said.

This statement gives me pause.  This is akin to saying:  “Terrorists – not criminals were responsible for the majority of murders last year.”  The act (killing, stealing, raping) is a criminal act. The motivations are what determines whether the act was driven by ideological or financial motives.  A terrorist who kills does so for ideological purposes.  A sadist who kills does so for sexual gratification and a hit-man kills for money.  They are all murderers (crimes) driven by differing motivations. Again, it is not accurate to state that “hacktivists and not cybercriminals- were responsible for the majority of personal data stolen…”  Hacktivists that steal personal data are, by definition, criminals.

The challenge with trying to differentiate a ‘hacktivist’ from a criminal is the natural softening of the perception of the hacktivists as some benign activist who is simply up to mischief to make a political statement.  If you steal someone’ credit card data and use it fraudulently…you are a criminal regardless of your motivations.

Comments»

1. wade - April 16, 2012

Hello Mark. Glad to see another Decision Sciences guy in the infosec field. You make a valid point about the fact that a determined attacker would simply try again if the first attempt failed. However, our finding that most breaches are avoidable through relatively simple controls doesn’t overlook this as you suggest. Our data show that most criminals aren’t determined tobreach a particular victim and likely won’t try again if met wdecent resistance. In fact, the extreme opportunistic nature of target selection means they likely won’t even be attacked w certain controls in place because automated probes will skip on down the street after jiggling the door handle a bit.

Chris Mark - April 17, 2012

Wade, Thank you very much for some very insightful information. I think your explanation is very sound and make a lot of sense. I am going to add your comment to the original post. Thanks for taking the time to comment!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: