P. 1
Verizon's 2012 Data Breach Investigations Report

Verizon's 2012 Data Breach Investigations Report

|Views: 37,326|Likes:
Published by ingrid8775

More info:

Categories:Topics, Art & Design
Published by: ingrid8775 on Mar 22, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/14/2013

pdf

text

original

Based on the feedback we receive about this report, one of the things readers value most is the level of rigor and
honesty we employ when collecting, analyzing, and presenting data That’s important to us, and we appreciate your
appreciation Putting this report together is, quite frankly, no walk in the park (855 incidents to examine isn’t exactly
a light load) If nobody knew or cared, we might be tempted to shave off some
time and effort by cutting some corners, but the fact that you do know and do
care helps keep us honest And that’s what this section is all about

Verizon Data Collection Methodology

The underlying methodology used by Verizon remains relatively unchanged
from previous years All results are based on frst-hand evidence collected
during paid external forensic investigations conducted by Verizon from 2004
to 2011 The 2011 caseload is the primary analytical focus of the report, but
the entire range of data is referenced extensively throughout Though the
RISK team works a variety of engagements (over 250 last year), only those
involving confrmed data compromise are represented in this report There
were 90 of these in 2011 that were completed within the timeframe of this
report To help ensure reliable and consistent input, we use the Verizon Enterprise Risk and Incident Sharing
(VERIS) framework to record case data and other relevant details (fuller explanation of this to follow) VERIS data
points are collected by analysts throughout the investigation lifecycle and completed after the case closes Input
is then reviewed and validated by other members of the RISK team During the aggregation process, information
regarding the identity of breach victims is removed from the repository of case data

Data Collection Methodology for other contributors

The USSS, NHTCU, AFP, IRISSCERT, and PCeU differed in precisely how they collected data contributed for this
report, but they shared the same basic approach All leveraged VERIS as the common denominator but used varying
mechanisms for data entry For instance, agents of the USSS used a VERIS-based internal application to record
pertinent case details For the AFP, we interviewed lead agents on each case, recorded the required data points,
and requested follow-up information as necessary The particular mechanism of data collection is less important
than understanding that all data is based on real incidents and, most importantly, real facts about those incidents
These organizations used investigative notes, reports provided by the victim or other forensic frms, and their own
experience gained in handling the case The collected data was purged of any information that might identify
organizations or individuals involved and then provided to Verizon’s RISK Team for aggregation and analysis

From the numerous investigations worked by these organizations in 2011, in alignment with the focus of the DBIR,
the scope was narrowed to only those involving confrmed organizational data breaches 1

The scope was further

narrowed to include only cases for which Verizon did not conduct the forensic investigation 2

All in all, these
agencies contributed a combined 765 breaches for this report Some may raise an eyebrow at the fact that Verizon’s
caseload represents a relatively small proportion of the overall dataset discussed in this report, but we couldn’t be
happier with this outcome We frmly believe that more information creates a more complete and accurate
understanding of the problem we all collectively face If that means our data takes a backseat in a Verizon-authored
publication, so be it; we’ll trade share of voice for shared data any day of the week

1“Organizationaldatabreach”referstoincidentsinvolvingthecompromise(unauthorizedaccess,theft,disclosure,etc.)ofnon-publicinformationwhileitwasstored,processed,used,ortransmitted

byanorganization.

2Weoftenwork,inonemanneroranother,withtheseagenciesduringaninvestigation.Toeliminateredundancy,Verizon-contributeddatawereusedwhenbothVerizonandanotheragencyworkedthe

samecase.

The underlying
methodology used
by Verizon remains
relatively unchanged
from previous years All
results are based on frst-
hand evidence collected
during paid external
forensic investigations

6

While we’re on that topic, if your organization investigates or handles data breaches and might be interested in
contributing to future DBIRs, let us know The DBIR family continues to grow, and we welcome new members

A BRIEF PRIMER ON VERIS

VERIS is a framework designed to provide a common language for describing security incidents in a structured and
repeatable manner It takes the narrative of “who did what to what (or whom) with what result” and translates it into
the kind of data you see presented in this report Because many readers asked about the methodology behind the
DBIR and because we hope to facilitate more information sharing on security incidents, we have released VERIS for
free public use A brief overview of VERIS is available on our website3

and the complete framework can be obtained

from the VERIS community wiki 4

Both are good companion references to this report for understanding

terminology and context

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->