Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. IT Forensics Lessons learned from 285 million data records stolen Matthijs van der Wel

2 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. PROPRIETARY STATEMENT This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizon’s service. This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your organization to employees without a need for this information or to any third parties without the express written permission of Verizon. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.

3 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Data Breach Investigations Report

4 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Methodology Data Source Verizon Business Investigative Response Team Collection and Analysis Case metrics collected during and after investigation Anonymized then aggregated for analysis Risk Intelligence team provides analytics Data Sample 5 years of paid forensic investigations –Not internal Verizon incidents ~ 600 breaches in sample –Actual compromise rather than data-at-risk –Both disclosed and non-disclosed –Most of the largest breaches ever reported

5 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. VERiS

6 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. External sources 90+% of stolen records linked to organized crime Internal sources Roughly equal between end-users and IT admins Partner sources Mostly hijacked third-party accounts/connections Breach Sources

7 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Breach Sources Insider breaches typically larger… …but overall, outsiders more damaging

8 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Breach Methods Most breaches and records linked to Hacking & Malware Misuse is fairly common –Mostly abuse of authorized access Physical attacks –Theft and tampering most common Deceit and social attacks –Varied methods, vectors, and targets Error is extremely common –Usually contributory (62%) rather than direct cause (3%) –Mostly omissions followed by misconfigurations

9 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Breakdown of Hacking (60% of breaches) Patch availability prior to breach < 1 month0% 1-3 months4% 3-6 months6% 6-12 months16% >1 year74% Default credentials, SQL injection, weak ACLs most common methods Minority of attacks exploit patchable vulns; Most of them are old Web applications & remote access connections are main vectors **Vulns expl in 16% of breaches *2008 Data

10 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Most malware installed by remote attacker Malware captures data or provides access/control Increasingly customized Breakdown of Malware (32% of breaches)

11 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Attack Difficulty and Targeting Highly difficult & sophisticated attacks not the norm –Difficulty usually malware rather than intrusion Fully targeted attacks in minority but growing –% doubled in 2008 Difficult and targeted attacks increasingly damaging –Shows ROI is good for skilled attackers Percentage of Records Breached ‘04-’ Highly Difficult68%95% Fully Targeted14%90%

12 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Compromised Assets and Data Most data breached from online systems –Conflicts with public disclosures Cybercrime is financially motivated –Cashable data is targeted Other types common as well –Auth credentials allow deeper access –Intellectual property at 5-year high

13 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13 Data compromised within hours/days after breaching perimeter –Actually good news for detection & prevention Breaches go undiscovered for months –Ability to detect breaches woefully inadequate (or at least inefficient) It typically takes days to weeks to contain a breach –Poor planning and response procedures Breach Timeline

14 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Breach Discovery Methods Most breaches discovered by a third party Majority of internal discoveries are accidental Effectiveness of event monitoring far below potential –Evidence found in existing log files for 80% of breaches

15 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Unknown Unknowns An SYSTEM unknown to the organization DATA unknowingly stored on an asset Unknown or forgotten ICT CONNECTIONS Accounts and PRIVILEGES not known to exist “Yes, we’re positive all sensitive data of that type is confined to these systems.”

16 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Attack Commonalities The last year shows much of the same but new twists and trends as well Sources: Similar distribution; organized crime behind most large breaches –Organized criminal groups driving evolution of cybercrime Attacks: Criminals exploit errors, hack into systems, install malware –2008 saw more targeted attacks, especially against orgs processing or storing large volumes of desirable data –Highly difficult attacks not common but very damaging –Large increase in customized, intelligent malware Assets and Data: Focus is online cashable data –Nearly all breached from servers & apps –New data types (PIN data) sought which requires new techniques and targets Discovery: Takes months and is accomplished by 3 rd parties Prevention: The basics–if done consistently–are effective in most cases –Increasing divergence between Targets of Opportunity and Targets of Choice ToO: Remove blatant opportunities through basic controls ToC: Same as above but prepare for very determined, very skilled attacks –Initial hack appears the easiest point of control

17 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Victim Commonalities False assumptions regarding information assets Low awareness of network and system activity Do not necessarily have a terrible security program Fail to consistently and comprehensively follow “the basics” Lack of assurance and validation procedures Cost of prevention orders of magnitude less than impact An inefficient approach to security –Focus too much on things that don’t happen –Focus too little on the things that do happen

18 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Recommendations Align process with policy Achieve “Essential” then worry about “Excellent” Secure Business Partner Connections Create a Data Retention Plan Control data with transaction zones Monitor event logs Create an Incident Response Plan Increase awareness Engage in mock incident testing Changing default credentials is key Avoid shared credentials User Account Review Application Testing and Code Review Smarter Patch Management Strategies Human Resources Termination Procedures Enable Application Logs and Monitor Define “Suspicious” and “Anomalous” (then look for whatever “It” is)

19 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.