Home IFTTT Trend Micro Simply Security Is My Data at Risk? Analyzing the Past Decade of Breaches

Is My Data at Risk? Analyzing the Past Decade of Breaches

By
Thursday, October 08, 2015
Read
Add Comment
Big data holds numerous possibilities for security, but businesses must change their approach to ensure they are proactive in their information gathering and are looking at the right areas of the organization.

We can all recall some of the biggest data breaches in recent history. The 100 million records stolen by T.J. Maxx attackers in 2007 comes to mind. Of course, as do the more recent attacks on U.S. retailers Home Depot (109 million) and Target (110 million). Also, what about the 130 million customers affected by the Heartland Payment Systems breach in 2009, or the 145 million eBay users hit by a major compromise last year?

 

The problem is, when we read about these incidents the focus tends to be on the companies themselves, their customers and how they’re likely to be affected in the aftermath.

While there’s nothing wrong with that in and of itself, it might be useful to take a look at the data itself: what was stolen, why was it stolen and where does ends up? With these answers, organizations can then begin to better understand and defend against their attackers.

What’s being stolen? 

This was one of the main drivers behind a new Trend Micro report, Follow the Data: Dissecting Data Breaches and Debunking the Myths. In it, we analyze a wealth of data from publicly disclosed breaches in the U.S., as collated by California non-profit the Privacy Rights Clearinghouse (PRC), between 2005 and 2015.

Although it varied by industry, we found, in general, personally identifiable information (PII) – names, addresses, social security numbers, dates of birth, phone numbers, etc. – was the most popular data type stolen over the past decade. But there are two caveats:

  1. We worked out, for example, that if PII data has been breached, there’s a 22 percent chance financial records will also become compromised and a 23 percent chance healthcare records will be stolen. Contrarily, there is only an eight percent chance payment card details will be obtained. It depends both on the situation and the attacker’s goal.
  2. The value of PII on the cybercriminal underground has dropped significantly of late because supply has outstripped demand. On average, the price has fallen from $4 per last year to $1 in 2015. This is despite the numerous money-making crimes hackers can commit with this data including identity fraud, fraudulent tax returns, applying for loans or credit cards, registering fake accounts, selling to marketing firms, and launching spam and phishing attacks.

Even credit card data has been oversupplied thanks to the sheer volume of data breaches over the past year. This has meant that sellers are no longer differentiating on price according to the brand of card.

In short, the cybercrime underground is a complex and ever-changing ecosystem where market dynamics can quickly alter the data types in demand. A good example of that is Uber accounts, which have become incredibly popular  within the online black market lately, as they can be fraudulently charged with phantom rides made by the hacker/‘driver.’

Some Critical Security Controls

The figures from the last decade leave us with one concrete take-away – No matter what kind of data your organization handles, it’s at risk of theft by cybercriminals. How you mitigate this risk will depend on the size of your organization, your budget and what measures you already have in place. Check out the report for a full list of industry best practice critical security controls.

However, a good place to start includes:

  • Technical measures: Anti-malware and anti-phishing programs, web filtering, device control, data loss prevention (DLP), patch management, application controls, breach detection systems, hardware and software firewalls, and disk and device encryption.
  • Non-technical measures: Simple things like looking after staff well-being, and regular security and awareness programs can help immeasurably. Remember to test your ability to withstand and respond to attacks regularly through pen testing, ‘live-fire’ incident response drills and Red Team exercises.

Click here to read Trend Micro’s two reports: Follow the Data: Dissecting Data Breaches and Debunking the Myths and Follow the Data: Analyzing Breaches by Industry.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.



from Trend Micro Simply Security http://ift.tt/1Gy0pNa
via IFTTT
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us