What You Don't Know About the World's Worst Breaches - Dr. Peter Tippett on the 2009 Data Breach Investigations Report
These are among the findings of Verizon's new 2009 Data Breach Investigations Report. In an exclusive interview, Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business, discusses:
Tippett is the chief scientist of the security product testing and certification organization, ICSA Labs, an independent division of Verizon Business. An information security pioneer, Tippett has led the computer security industry for more than 20 years, initially as a vendor of security products, and over the past 16 years, as a key strategist. He is widely credited with creating the first commercial anti-virus product that later became Norton AntiVirus.
TOM FIELD: Hi this is Tom Field. I'm talking with Dr. Peter Tippett, vice president of technology and innovation with Verizon Business. Peter, thanks so much for joining me today.
PETER TIPPETT: Well thanks for being here.
FIELD: Would you tell me a little bit about yourself and your work just to set some context for the discussion we are going to have today?
TIPPETT: Sure. I started in the security world a few years ago in the antivirus space and then started NCSA, which became ICSA, which then became True Secure, which purchased many companies in Europe and Asia. We called ourselves Cyber Trust and in 2007 we merged with Verizon Business and became a security services group, taking people from Verizon Business into security and now we are the biggest security services company in the world.
FIELD: Now I would like to talk with you about your new data breach investigation report. We are at the RSA Conference and I have to tell you, this report has just been--you have had great marketing for this. People have been talking this up throughout the event and I heard a quote from a prosecutor from the Department of Justice the other day saying that you are right on.
FIELD: Give us some highlights about this report that you have done.
TIPPETT: Well the report is different from most things we read in security because this is the actual data from our investigations of over 600 cases of computer crime that were the worst in the world; 90% of whatever made it to the major media were cases that we investigated; a third of all cases that have ever been published were cases that we investigated.
The quick, short story for the bank and financial industries this year is they have had an increase in organized crime and they were entirely focused at the financial sector, very focused. We saw an increase in sophisticated tool use. But the good news is that in all of those cases, they got in through some easy way. They got in somewhere on a non-sensitive, non-critical device where the password was password, or where it wasn't patched two years ago, or where it was a little SQL injection attack.
The easy things dominate by far so easy entry points are very common. So if you are a targeted organization, which only a few were in our cases, then the bad guys still get in through easy access points. We all worry about malcode and only a third of the cases had malicious code used, but we tend to think of malcode as malcode that the user picks up by doing their normal behavior. In our cases the malcode was used after the bad guy got in. They got in through some low-level thing that nobody was paying attention to, and then there was no good data there so then they put a sniffer in or they put a scanner in or they put a back door so they could get back in, those kinds of malcodes. Virtually all of it was after they were already in and not as a way to get in, which is completely opposite of the way we think.
For the vast majority of attacks, 99.9% of all data that was lost was lost from servers; so that is 0.01% that had anything to do with desktops or PC's or PDA's or USB sticks or anything like that.
Imagine our security budget, how much we put on a PC and end-user security and how much we put on server-based security. If you were balancing the dollars according to the way the losses actually worked, you would move dramatic funding away from PC and desktop; now I am not saying you should, but what I am saying is that it is probably better to put energy where you already have control, in the space where servers are and network appliances.
So those are big, big chunks of the findings. The other big finding for me is these unknown devices. Let me give you a little story.
Let's say a bank discovers fraud on some client system through the normal bank fraud detection mechanism; say the meter went up a little high. They call the client, the bank customer, and say it looks like you are experiencing fraud, so why don't you call those Verizon guys in. So we show up the next day. We bring donuts and coffee and say we are here to help and we say, "credit card fraud, where would that be?" They say machines A, B, C and D over there. So we go stick in a sniffer among machines A, B, C, and D and then we see that the traffic is flying around, but 1% of the traffic is going somewhere else. This machine is PQLR and we ask where that is. They say that it is two buildings over and it's not critical, it's not sensitive and it's not important. So we say, well can we go look anyway, and we go over there and that is where the attack happened on a third of all of our cases; two-thirds of all the data lost. The company knew they had the data, they knew to protect it, but they didn't. But it also existed on other servers, not desktops, laptops or email, but servers somewhere else. That is a third of all cases and two-thirds of all data lost. We call that the unknown data problem.
The unknown connection problem is where we go in and say, "what is this connection to, Malaysia?" And they ask, "what do you mean?" And we say, "this wire right here goes straight to Malaysia." It is where the attack came from and 25% of the cases, they didn't know they had a connection or it was something like, "we fired those guys three years ago." That is a very common thing.
Another, about a third of all attacks comes through by partner connections. Do the companies and banks worry about a third of their concern on partner connections? Partners are a big deal and it has grown four or five fold in the last five years as a vector for attack.
We do worry about application attacks, and it is about a quarter of all attacks using application vector. So it is important. The applications that get attacked are not the critical ones, they are some other little ones that nobody is paying attention to and so it turns out we are far stronger in larger companies doing a test of all applications instead of a deep test of just a few applications. But we tend to put things in order of what is most critical; we really work hard on the critical ones and we work less on the others.
So these are all behavioral changes that we can make to conduct a lightweight test of everything on the application level; do the internet facing first and everything, do the partner facing next, and then do the inside applications last. Just do the basics and you will get rid of about a quarter or a third of all vectors that cause attacks.
But there is something that is actually a bigger vector than applications and that is remote administrator-type things like PC Anywhere, VNC and SSH. That is more likely to be a vector than applications are. Do we spend even close to the amount of energy worrying about those? So these are the little stories that Verizon Data Breach Report is full of and they all give you the straight-up on where to spend the next dollar, and probably more important in these tight economic times, where to not spend the next dollar.
FIELD: Now one of the interesting things I have heard secondhand about this report is that you talk about where a lot of these attacks are coming from and we've got people putting a lot of energy, particularly in financial services, on the insider threat. I am told that what you find sort of dispels some of that myth.
TIPPETT: Yeah. We all learned that 80% of all giant attacks are insider. But it turns out that 75% of our data is outsider and 30% or 40% are partner-type outsiders. Only 20% have anything to do with insiders and half of those were duped by the outsider, so only in the vicinity of 10% are true insider attacks, so it is not a very common mechanism. And again, this is of the bigger attacks.
FIELD: Now we also serve the federal government. What do you find distinguishes government agencies from financial institutions and others that we have talked about?
TIPPETT: Well of course certain government agencies are targeted, the military and whatnot. People worry about China more than other places--just inordinately and our data shows China is certainly a player but Russia and the United States are far bigger players, two times bigger in each case than the data attacks coming from China. So we think it is misplaced to worry about China beyond our worries about other Americans or other Europeans. The basics work and they will work for government, they will work for industry, they work for finance and they work for everybody.
FIELD: How should people read your report? What should they be looking for in there?
TIPPETT: I think people should look for practical things. I am a pragmatic kind of guy. We put our energy around taking all data that we can get. We run the biggest computer crime investigation group, we run the biggest computer security consulting group, we run the biggest managed security services group. We have giant groups that can do application management and hosting and all of those things. Of course we run networks for people, we have 4,000 companies whose networks we manage; but our whole deal is why don't we get data from all of those resources.
We have a huge amount of data. Our customers' data, let's repurpose it so that our services can be more accurate, stronger, more fluid; but really what we want to do and what everybody ought to do is figure out the practical thing that makes the most sense, and all we have really done is institutionalize that in our process. Just take the data, convert it to real science and go for the most practical thing and do that for our customers.
FIELD: What are some of the things that business and government security leaders ought to be looking out for in the upcoming months?
TIPPETT: Although the information security space changes and in our most recent year we have had a pretty big uptick in organized crime and the use of focused sorts of tools, the main thing is we are just going to continue that trend. In the financial space, the stuff on the surface, on the front of your credit card, has just lost its value. The numbers on the front, the price has gone down more than tenfold on the black market in the last couple of years.
So the bad guys want to have that extra data, the PINS or the Card Not Present numbers, or your Social Security number, other things that they can then match with because in their marketplace, it is not worth anything. So they are after the mother load, where that data all exists. It doesn't have to be the back of the card or the PIN, it has to be something that helps them, adds value to the front of the card where it is credit card data, other transaction data.
FIELD: Do you think that processors will continue to be a big target then?
TIPPETT: Processors are going to be a target because that is where the money is for the online information. But so will banks, so will merchants that are intermediaries. There has always been a game because people want to get at what banks have.
FIELD: Now have you had the opportunity to get a sense of where the defenses are strongest when you look across the public and private sectors? Who is doing well?
TIPPETT: Antivirus works well. The trouble we make is we try to make it work better and it is already taking part of the problem away. It has reduced our risk a thousand fold so let's make it ten thousand fold. That is a mistake.
Firewalls work well. Again, our mistake is trying to make them work better. They do what they do and we are already in diminishing returns from making them work as well as they are going to. Intruding detection isn't anywhere near where it needs to be. Log review could theoretically catch about 82% of cases in our studies, even the non-hacking ones. But it actually catches 6% or 7% so we wind up with just a very disproportionate use of the technologies of login and IDS. In our own business, Verizon Business, intrude and detection signature-based things only account for 18% or 20% of cases where the log stuff is much stronger, like application logs. We have driven most of our customers to do log work with us because it is so much stronger.
FIELD: If you could offer just a single piece of advice to business security executives that are reading your report and want to take action, what would that advice be?
TIPPETT: Do the basics first and then get on to the hard stuff.
FIELD: Peter, it has been a pleasure to listen to you today. Thank you so much for your time and for your insights.
TIPPETT: Great, thank you.