Security Experts:

Verizon DBIR Data: Roughly Half of IP Theft Comes From The Hands of Insiders

A new report from Verizon examined a subset of the data included in its annual Data Breach Investigations Report (DBIR) to glean some insights about intellectual property thefts.

Detecting Employee Data Theft

The snapshot highlighted intellectual property theft to give organizations a better understanding of this type of data breach. Intellectual property theft cases reported in the 2012 edition of the report was combined with 2011 data to compile this report, Wade Baker, Verizon’s director of risk intelligence, told SecurityWeek.

Even with two years of data, the snapshot looked at a very small subset of breaches, as only 85 incidents out of about 1,500 incidents from the larger DBIR were included.

Considering the small number of incidents, the trends surrounding IP theft "gets drowned out" by the overall figures in the DBIR, Baker said. The spotlight makes it easier to see how trends for intellectual property theft diverged significantly from the overall report, Baker said.

Baker's "favorite snapshot" had to do with the distribution of threat agents. The DBIR found that majority of the data breaches were the work of external adversaries and only 4 percent of the incidents were by insiders. When looking at only intellectual property thefts, almost half of the incidents were by insiders, which is a "dramatic change to the profile," he said.

"If a company worried about protecting IP is figuring out where to look at to protect the IP, then you need to know that insiders are a huge issue," Baker said.

There was more insider-related IP theft because the employees know where the interesting data are stored, and have access to it, Baker said. Many of them are disgruntled employees acting out on their frustration, and many others are financially motivated, selling the secrets for money.

The methods and techniques used in IP thefts were also different from the overall data breach picture. The DBIR identified seven threat categories, and the incidents were heavily weighted towards malware and hacking, Baker explained. These were opportunistic attacks, and in many cases, the attackers were using automated techniques and trying out a series of steps to see if they can break in.

Insider IP Theft

IP theft, on the other hand, is not opportunistic or random at all, Baker said. These are deliberate and persistent, and attackers frequently used social engineering techniques. In fact, misuse was the top most used threat action, Baker said. Misuse refers to incidents where users have access to data or systems and act maliciously. There was a "strong pattern" of breaches by employees whose accounts didn't get revoked after they were terminated, Baker said.

In contrast, social engineering was used when the attacker didn't have access and was trying to trick a person who did in to granting access. Organizations have to think about internal controls and not just harden the perimeter.

Attacker timelines also differed when looking at IP thefts. Overall, the DBIR found that attacks were quick, often lasting seconds or minutes. For IP theft, the timeline extended to several days, or even weeks and years, as attackers probe systems and poke around looking for information. The delay in victim discovery, often years, was "shocking," Baker said.

Verizon also found specific trends in how data breaches affect certain industries, namely the retail, hospitality, financial services, and healthcare sectors, Baker said.

“Understanding what happens when a data breach occurs is critical to proactive prevention,” Baker said.

The financial services and insurance sectors face unique challenges because they "attract significantly more directed and tenacious criminal attention" because they are considered high-value targets, Verizon found. Most breaches in this sector are primarily financially motivated, whether the attackers were directly targeting internal accounts and applications or indirectly via fraud. Verizon also found that many of the attacks targeted ATMs, Web applications, and employees.

The sector should better protect ATMs, monitor who is using login credentials, invest in secure application development, and conduct training and awareness programs for employees, Verizon recommended.

Most of the breaches within the healthcare sector surprisingly were in small to medium-sized organizations with less than 100 employees, and outpatient care facilities such as medical and dental offices, Verizon found. Like the financial-sector attacks, the perpetrators were financially motivated and were likely the work of organized criminal groups trying to steal data, according to the snapshot. Most of the attacks involved hacking and malware in this sector.

"These groups are notorious for knocking over smaller, low-risk targets in droves to nab personal and payment data for various and sundry fraud schemes," Verizon said.

The majority of breaches against healthcare organizations can be prevented with "some small and 'relatively easy' steps," Verizon said, such as changing the administrative passwords on all point of sale systems from default, implementing a firewall, not using POS systems to browse the Web, and making sure the POS complied with PCI-DSS requirements.

The "bulk" of malicious activity against the retail industry are financially motivated, and many of the attacks involved attackers exploiting weak, guessable, or default login credentials of third-party remote access services to break into POS systems, Verizon found.

Many of the retail organizations fall into the SMB category, which means they are more likely to outsource security to third-party vendors or use an out-of-the-box product. Many of the attacks rely on social engineering or other mistakes by employees to initially infect the computer with malware. Once compromised, the attacker has access to other devices on the network, Verizon said. 

RelatedResearchers Release Insider Threat Reference Architecture

RelatedFinding the Devil Inside: The Psychology of the Insider Threat

Related: Insider Attacks: Identify the Anomaly

Related: Chinese National Pleads Guilty to Stealing Ford Trade Secrets

Related: Software Engineer Pleads Guilty To Stealing Source Code

RelatedSecurity Isn't Just External - Don't Forget the "Other" Security

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.
view counter