BreachBytes

There have been several blog posts and articles that have come out lately that have to do with compiling the statistics behind the cost of a breach and the probability of data loss. There is no shortage of these types of statistics but they seem to be getting more granular and informative.

On the Data Auditing Blog there is a good two part series authored by Prat Moghe the founder of Tizor. In the first part of the series he compiles a report from a ITRC (Identity Theft Resource Center) press release on the number of losses. What’s impressive about Moghe’s work is that he not only cites the ITRC numbers be he goes on to compare them against some of his own research and analysis based on information in the Attrition database. Here are to interesting snippets from the post:

1. “They [ITRC] concluded that 2007 had 443 breaches with 127MM losses, vs. 315 breaches and 20MM losses in 2006. This means 40% growth in breaches between 2006 and 2007. “
2. “It turns out that the average loss per moderate loss incident is roughly constant! Yes - across all three years - it is roughly 50,000 losses per incident. (Precisely, this loss was 55K (2005) vs. 50K (2006) vs. 45K (2007)).”

While it seems counter-intuitive, Moghe points out that there may even be a “loss constant” (ie what an enterprise can expect in terms of the number of losses per incident based on the average over the past three years).

Read the rest of this entry »

Breach Security Labs released a report containing some interesting statistics about web attacks in 2007. The entire report can be found in the Breach Security Network website (unfortunately, free registration is required). Dark Reading also has a summary of the report, although they felt 67% didn’t sound as good as 70% so they rounded up in the article title.

This report backs up what we have been reporting on in BreachBytes: more and more hacks and breaches are motivated by money. Andy weighed in on this trend with his excellent write up on the rise of organized crime in cybersecurity. I wrote about the subject most recently in my post on the motivations of modern hackers. Danny Quist from Offensive Computing noted in a comment that I should have had money as the #1 motivation and not #2. He was right.

Read the rest of this entry »

Most of my posts on BreachBytes are about using flow data, primarily NetFlow, for network security, incident response and network forensics on enterprise networks. I also tend to get rather technical most of the time. For this post I want to take a step back and answer the following question: what’s the big deal about network flow data? Let me try to answer this question in a single sentence:

“Network flow data, which can be generated by all enterprise routers, provides security analysts with real-time, long-term network visibility that can be used to prevent data leakage, defend against the insider threat and enhance incident response effectiveness.”

Key Points:

1. Generated by all enterprise routers: The technology is in place, your network can generate flow data in some form.
2. Real-time: Flow reporting can be near-real time depending on configuration.
3. Network visibility: Most enterprises are essentially blind to their internal network (the Soft Gooey Center — good in candy, bad in networks).
4. Long-term: Disk is cheap and flows are small, while still providing adequate information for a variety of network security tasks.

Read the rest of this entry »

SC Magazine reported today that the Davidson Companies, a Montana-based financial firm disclosed “one of its databases, containing the names and Social Security numbers of 226,000 current and past clients, was illegally accessed ‘by a third party through a sophisticated network intrusion.’” In response the firm “took its public website offline after learning of the intrusion, hired a security consulting firm to investigate the theft and notified the major credit-reporting bureaus after learning about the incident.”

We keep beating the drum at BreachBytes that enterprises need to have a response and recovery plan in place because Breaches are inevitable.

If you have the money ($75K+) and a big data center moving a lot of data, Cisco’s Nexus 7000 series switch offers wickedly fast processing power and a lot of compelling security features. Hopefully this signals an increased interest in network security by the switch vendors.

Running NX-OS version 4.0, the Nexus 7000 switch supports a wide variety of useful security features you’d expect from a high-end switch: 802.1x, RADIUS, MAC-based ACLs for policy enforcement, etc. More important to us at BreachBytes is the native hardware support for NetFlow. I commented Monday on the fact that sFlow is generally more prevalent in switches than NetFlow, however Cisco seems to be challenging this assertion with their OS upgrade and supporting products like the Nexus 7000.

Read the rest of this entry »