BreachBytes

There have been several blog posts and articles that have come out lately that have to do with compiling the statistics behind the cost of a breach and the probability of data loss. There is no shortage of these types of statistics but they seem to be getting more granular and informative.

On the Data Auditing Blog there is a good two part series authored by Prat Moghe the founder of Tizor. In the first part of the series he compiles a report from a ITRC (Identity Theft Resource Center) press release on the number of losses. What’s impressive about Moghe’s work is that he not only cites the ITRC numbers be he goes on to compare them against some of his own research and analysis based on information in the Attrition database. Here are to interesting snippets from the post:

1. “They [ITRC] concluded that 2007 had 443 breaches with 127MM losses, vs. 315 breaches and 20MM losses in 2006. This means 40% growth in breaches between 2006 and 2007. “
2. “It turns out that the average loss per moderate loss incident is roughly constant! Yes – across all three years – it is roughly 50,000 losses per incident. (Precisely, this loss was 55K (2005) vs. 50K (2006) vs. 45K (2007)).”

While it seems counter-intuitive, Moghe points out that there may even be a “loss constant” (ie what an enterprise can expect in terms of the number of losses per incident based on the average over the past three years).

(more…)

SC Magazine reported today that the Davidson Companies, a Montana-based financial firm disclosed “one of its databases, containing the names and Social Security numbers of 226,000 current and past clients, was illegally accessed ‘by a third party through a sophisticated network intrusion.’” In response the firm “took its public website offline after learning of the intrusion, hired a security consulting firm to investigate the theft and notified the major credit-reporting bureaus after learning about the incident.”

We keep beating the drum at BreachBytes that enterprises need to have a response and recovery plan in place because Breaches are inevitable.

A quote by Gartner analyst John Pescatore in a recent article in PC World points out a fact that is becoming more and more common and is of grave concern to security experts:

“…government-funded cyber espionage is minimal in comparison to that carried out by criminals motivated to steal information for financial gain.”

Cybercrimes are no longer fashionable pranks by teenage hackers to get their name in the paper. Cybercrime is now being driven by financial gain and in many cases is the result of organized crime. The San Jose Mercury News did an excellent three-part series called “Ghosts in the Browser” which highlighted the rise of organized crime, particularly overseas, in the cyberworld.

What makes this so scary?

(more…)

In the end of 2007 we first noted the FastHosts breaches in the BreachBytes links to breach articles. On January 14, 2008, ComputerWorld reported that the seemingly benign and random breach(es) at FastHost – The UK’s largest hosting company – in late 2007 appear to be much worse than originally thought due to the damage that is now happening as a result. Here is the article:

New mass hack strikes sites, confounds researchers

It is interesting to see that the hackers continue to use more sophisticated methods to perform their damage and a variety of the knowledgeable security companies are quoted as not really knowing how to determine which sites were in fact infected.

Poor Salesforce.com.

They continue to be under attack by phishing scams. As a customer I have been satisfied with their responsiveness and continue to root for them. My first sighting of the last Salesforce.com attack popped up my ZDNet.com RSS Feed on 11/06/07. The same day I received an email from Salesforce.com explaining what had happened and what they were doing about it. They offered a surprising level of transparency which, in my mind, showed courage and confidence based on their timely disclosure. Over the intervening days changes were implemented that were mildly inconvenient to the user yet improved the security of the Salesforce.com installation (and more importantly our data).

(more…)