Cyber thieves stealing fewer records – why is that bad news?

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

A pair of cybersecurity studies show how hackers and criminals adroitly adapt to a shifting IT environment while systems defenders stand still.

A pair of cybersecurity reports released April 19 painted a pessimistic picture of the threat landscape, indicating that the bad guys are adapting quickly to new conditions while systems' owners and defenders are making little headway.

One example: The number of compromised records in 2010 was only about 2.7 percent of the number compromised in 2009, but they resulted from significantly more attacks aimed at specific, smaller (and often easier) targets.

The nation’s critical infrastructure also appears to be vulnerable.

“Overall, we found little good news about cybersecurity in the electric grid and other crucial services that depend on information technology and industrial control systems,” the second annual report from McAfee on critical infrastructure protection concluded.

Related stories:

Attackers find old vulnerabilities are still the best

New threats emerging, and IPv6 won’t make defense any easier

The report found that although Stuxnet raised security awareness in the last year, improvements have been marginal.

“There were gains, but they’re modest,” said Stewart Baker, a visiting fellow at the Center for Strategic and International Studies, which helped analyze data for the report.

Within the energy sector, which is making large investments in the development of a Smart Grid that will significantly increase the attack surface of the nation’s power distribution system, one third of companies surveyed said they were taking no additional security measures. “That is not a prudent response to the emergence of Stuxnet,” Baker said.

Another report, the Data Breach Investigations Report for 2011 from Verizon, indicated that although reported data breaches appear to up in 2010 from 2009, the number of records compromised in those cases paradoxically dropped, from about 143 million in 2009 to only about 3.8 million last year.

But that is not necessarily a reason to celebrate, said David Ostertag, a Verizon global investigations manager and an author of the report. The change is one of quality as well as quantity. “We’ve had a dramatic change in what the bad guys are stealing,” as thieves respond to changes in the underground market.

Verizon’s data breach report is based on an analysis of more than 900 data breach cases investigated from 2004 through 2009, together with another 667 cases in 2010, investigated by Verizon as well as the U.S. Secret Service and the Dutch National High Tech Crime Unit.

In 2009, data breaches typically involved large volumes of personal financial account information. In 2010, they had shifted more to intellectual property and business information. This is reflected in an increase in precisely targeted, high-value attacks at one end of the spectrum, and more small crimes of opportunity on the other end.

“I think there is a different type of clientele now,” that is driving the type of data being stolen, Ostertag said. “We don’t know enough right now to make any specific statements” about the end users of the stolen data, but for business information, “the parties that would obviously be most interested would be other businesses.” There is no way to rule out nation states as customers for the information, he said.

Criminals also seem to be targeting more small businesses, which yield smaller batches of information, but also are easier targets. This is illustrated by the difficulty of the attacks studied by Verizon. In 2009, about 15 percent of attacks were rated as being of high difficulty, requiring advanced skills, significant customization and extensive resources. For 2010, just 8 percent were rated difficult.

These shifts in target and technique probably are a response to successes by law enforcement in the past year, and also to a glut on the underground market of personal account information from the boom years of 2008 and 2009, Ostertag speculated.

“All of this goes in a cycle,” he said. “And supply and demand drive that cycle.” Credit card account data that sold for as much as $16 per account in 2005 now is going for as little as 20 cents.

As compromised accounts are closed, however, that underground glut will rapidly clear and demand for stolen information will increase, Ostertag said. “Next year’s reports are going to blow this year’s figures out of the water,” he said. “We already know that.”

The McAfee-CSIS report is based on detailed surveys of 200 critical infrastructure industry executives in 14 countries.

One concern identified in the report is that the United States’ rush to develop a smart-energy delivery grid is being done without adequate attention to security. McAfee CTO Phyllis Schneck likened the effort to the adoption of the Internet for critical transactions without adequate security. “It appears we’re making the same mistake,” she said.

NEXT STORY: Microsoft includes new advisories in April security update

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.