Global Security, Privacy, & Risk Management

(UPDATE)-“Interesting” Logic & Analysis – Verizon’s 2012 Data Breach Report April 17, 2012

I received a very insightful comment from one of the Verizon authors and thought it prudent to share. I think this explanation is very helpful for companies looking at infosec controls.  Here it is, in part(emphasis added): “You make a valid point about the fact that a determined attacker would simply try again if the first attempt failed. However, our finding that most breaches are avoidable through relatively simple controls doesn’t overlook this as you suggest. Our data show that most criminals aren’t determined to breach a particular victim and likely won’t try again if met with decent resistance. In fact, the extreme opportunistic nature of target selection means they likely won’t even be attacked w certain controls in place because automated probes will skip on down the street after jiggling the door handle a bit.“  You can read the full comment, in ‘comments’.  The entire post is you continue reading.

Let me start by staying I am a fan of Verizion’s annual data breach report. Some of the information is very insightful.  That being said, there are some flawed assumptions made by the authors and others who analyze the reports.  This, I believe, is a function of “Techies” venturing into unknown waters of decision science and other areas.  Here are two examples:

“As in previous years, Verizon has found that most cyberattacks were avoidable if network managers followed best practices for information security. Verizon said that 96% of attacks were “not highly difficult,” and 97% of attacks were avoidable through “simple or intermediate controls.” (emphasis added)

This type of analysis is similar to using the Rational Actor model as a predictive tool.  You cannot make assumption on whether the crime would or would not have been avoidable based upon an understanding of how it occurred.  The fact that the criminal took the path of least resistance does not suggest that  they would not have been successful if more robust controls were in place.  A more accurate, and responsible statement would have been to say: “The level of difficulty would have increased in the identified attacks through more advanced controls.  It is believed that the result would have been fewer successful attacks as the cost/benefit calculation would have changed for the criminal.  This does not account for an increase in attacks against other companies due to substitution effect.”

Consider a situation in which you come home to find your house had been burglarized and the criminal had broken a window to enter the house.  In discovering that the window and not a door was the avenue into the house it would not be logical to look at the attack in hindsight and say: “If we had stronger windows the burglary would not have happened.”  The burglar, if the motivation was high enough, would have simply looked for another way into the house. 

An author for CSOonline summarized a part of the report as such: “Hacktivists – not cybercriminals – were responsible for the majority of personal data stolen from corporate and government networks during 2011, according to a new report from Verizon. The Verizon 2012 Data Breach Investigation Report found that 58% of data stolen in 2011 was the result of hactivism, which involves computer break-ins for political rather than commercial gain. In previous years, most hacking was carried out by criminals, Verizon said.“

This statement gives me pause.  This is akin to saying:  “Terrorists – not criminals were responsible for the majority of murders last year.”  The act (killing, stealing, raping) is a criminal act. The motivations are what determines whether the act was driven by ideological or financial motives.  A terrorist who kills does so for ideological purposes.  A sadist who kills does so for sexual gratification and a hit-man kills for money.  They are all murderers (crimes) driven by differing motivations. Again, it is not accurate to state that “hacktivists and not cybercriminals- were responsible for the majority of personal data stolen…”  Hacktivists that steal personal data are, by definition, criminals.

The challenge with trying to differentiate a ‘hacktivist’ from a criminal is the natural softening of the perception of the hacktivists as some benign activist who is simply up to mischief to make a political statement.  If you steal someone’ credit card data and use it fraudulently…you are a criminal regardless of your motivations.