A Decade of Data Breaches: Some Things Never Change
August 9, 2023 Alex Woodie
Why did Willie Sutton rob banks? “Because that’s where the money is,” he told a reporter. Fast forward to 2023, and data is the new currency, so it’s not surprising that bad guys are doing their best to steal it. While some techniques have changed, many aspects of data theft have remained the same over the years, according to the Verizon Data Breach Investigation Report.
It was 2003 when the telecommunications company Verizon set up the Verizon Threat Research Advisory Center (VTRAC) to study emerging cyber threats. A year later, VTRAC investigators assisted in publishing the first Verizon Data Breach Investigation Report (VDBIR), which used a standardized methodology, dubbed Vocabulary for Event Recording and Incident Sharing (VERIS), for understanding more about data breaches.
In 2013, Verizon identified 2,500 data breaches out of 47,000 reported security incidents. By 2023, the number had ballooned to 5,200 confirmed data breaches out of 16,000 security incidents. In total, the VDBIR has tracked more than 950,000 incidents and confirmed more than a quarter million breaches (many of them investigated by VTRAC investigators but not all of them).
Source 2023 VDBIR
Comparing the 2013 VDBIR and the 2023 VDBIR, a few things stand out. For starters, the vast majority of data thieves are external players. In the 2013 report, 92 percent were external actors while only 14 percent were insiders. Ten years later, nothing had changed much: 83 percent of data breaches involved external players, while insiders were responsible for 19 percent.
That factoid runs counter to what Verizon once dubbed the “pro-insider majoritists.” However, the data doesn’t lie. For the 2023 report, the Verizoners wrote: “[T]he clear frequency of External actors as instigators of breaches is a datapoint that has held steady ever since we started this gig.”
It’s possible that internal players pose a bigger threat in organizations that rely on less well-known platforms, such as IBM i and System Z mainframe. Getting around these systems is not as intuitive as more “industry standard” servers that external hackers are more likely to be familiar with, such as Windows and Linux. Security through obscurity isn’t anything you should rely upon, but that doesn’t mean it’s not a thing. On the whole, however, bad guys from the outside outnumber bad guys inside the firewall by about four-to-one in the world at large. If you’re responsible for securing an obscure Big Iron platform from IBM, clamping down external access to your precious data should be job number one.
That begs the question: Why do people steal data? Well, we’ll point you back to the first line of this story. It’s pure, unadulterated greed – and not in the good, Gordon Gekko way, but in the bad, Willie-Sutton way.
“Long-time readers of the report will be similarly shocked to learn that Financial motives still drive the vast majority of breaches,” the 2023 VDBIR states, with “financial” being cited as the driver in 94.6 percent of breaches, with espionage, ideology, and grudge being other drivers. In 2013, a financial motive was cited in 75 percent of data breaches. Some things never change.
However, some things do change. For instance, back in 2013, 19 percent of data breaches could be traced to state-affiliated actors, with China’s thirst for intellectual property being the big driver, accounting for one-fifth of all breaches for the year. The 2023 report, however, shows less than 10 percent of data breaches having a state-sanctioned element – and nary a mention of China and its thirst for IP (maybe it has all it needs already?) Instead, organized crime rules the day, with about a 75 percent share of data breaches.
In 2013, compromised servers accounted for about half (54 percent) of breaches, with 71 percent of breaches involving the targeting of user devices. In 2023, about 80 percent of breaches involved a server (with Web apps and email the most compromised applications), while less than 20 percent involved person user devices. This would seem to indicate that personal user devices, like laptops and smartphones, have gotten more secure while servers perhaps have gotten less secure, or at least are gaining more attention from hackers (after all, that’s where most of the data is).
Verizon has consistently used the 4As of VERIS, which seeks to identify the actors involved; what threat action was taken; which assets were affected; and what attributes are associated with the impact. But Verizon has tweaked its methodology a little bit over the years, such as by adopting the CIA’s triad of information security, which involves rating a breach according to its impact on data confidentiality, integrity, and availability. In 2023, Verizon has also started adopting some of the terminology used in attack repositories, such as MITRE ATT&CK and Center for Internet Security.
Source 2023 VDBIR
Ransomware wasn’t even a word back in 2013, but it continues to grow in 2023, when ransomware was used in a quarter of breaches. Ransomware’s strong showing surprised the Verizon folks, who thought that it had reached its theoretical peak. However, that wasn’t to be. “Ransomware is present today in more than 62 percent of all incidents committed by Organized crime actors and in 59 percent of all incidents with a Financial motivation, so sadly there is still some room for growth,” Verizon writes in the 2023 VDBIR.
Denial of service (DoS) attacks have been around for decades, and sadly, they continue to be the number one incident pattern, according to the 2023 VDBIR. Social media was already a thing back in 2013 (“The Social Network” movie debuted in 2010, you’ll recall). But social engineering as a hacker skill has climbed considerably in terms of incidents.
In terms of actual data breaches (as opposed to mere security incidents), system intrusion has risen to the top of the heap. Oftentimes, these system intrusion incidents will involve some type of malware or ransomware as a means of gaining access to a server.
While some things never change – greed being the number one motivator behind data breach incidents – other things do change. After all, technology doesn’t stand still, and neither do the bad guys.
RELATED STORIES
Midsummer Security Indicators: Hot and Gloomy
Serious New IBM i Vulns Exposed by Silent Signal – More On the Way
Security Still Top Concern, IBM i Marketplace Study Says
As the Verizon Data Breach Incident Report states, the CIS controls are what they like. Directly from the Verizon DBIR: “This year, we are showcasing a detailed breakdown of ATT&CK Techniques and Center for Internet Security (CIS) Critical Security Controls”. BFB Security is the proud author of the IBM i CIS controls that IBM Rochester Security also confirms are what it takes after we responded to a large IBM i data breach and were brought in to remediate as they knew me well from many years with Lab Services. BFB Security is a proud IBM Technology Partner and frequent writer on ITJungle where we state over and over the importance of IBM i Security training and remediation.
Simply put, data breaches will get worse before they get much worse for those who don’t follow the CIS Critical Security Controls. BFB Security secures IBM i one bit at a time using our deep knowledge and partnership with IBM Technology Group.
https://www.c-span.org/video/?c4963722/user-clip-john-gilligan-cis