Data breach surveys

There are many data breach / information security / cyber crime surveys unfailingly published every year by the those of the consulting industry.

From a reference perspective, you may want to visit a few references on the net, listed as follows:

• The Verizon Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/
• PwC UK—INFORMATION SECURITY BREACHES SURVEY 2014: http://www.pwc.co.uk/assets/pdf/cyber-security-2014-exec-summary.pdf
• The Ponemon Institute's Cost of Data Breach Survey: http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
• KPMG Cybercrime survey report: https://www.kpmg.com/IN/en/IssuesAndInsights/ArticlesPublications/Documents/KPMG_Cyber_Crime_survey_report_2014.pdf
• The InfoWatch Global Data Leakage Report, 2014: http://infowatch.com/sites/default/files/report/InfoWatch_Global_data_leak_report_2014_ENG.pdf

All of them point to a single unassailable fact—data breaches are becoming increasingly expensive and will continue to be so.

Some of the points brought up by most of them are:

• The cost of a data breach is on the rise.
• Post a breach—customers loose confidence and tend to change service providers. This is particularly common in the financial services industry.
• For many countries, malicious or criminal attacks are at the top spot as the root cause of the data breaches.
• In over 50% of the cases, insiders were involved in one way or the other.

What does this mean for us? It just means that we are in the right place at the right time. There will always be a very strong demand for the Sherlocks of the net. Professionals who can detect, collect, collate, analyze, and investigate will find themselves on the must hire list of most large-scale corporates.

Let's get started with the underlying principle of forensics of any sort.

Locard's exchange principle

No study of digital investigations can be considered well begun without an understanding of the underpinning of the science. Locard's exchange principle is the foundation on which scientific investigation methodologies are built.

Dr Edmond Locard (1877-1966) was a French scientist who worked with the French Secret Service in the First World War. He was a pioneer in forensic science and criminology. He developed a methodology to identify the nature and cause of death of French soldiers and prisoners by examining the wounds, damage stains, and other marks on the body.

He was known as the Sherlock Holmes of France.

He is often credited with saying every contact leaves a trace!

He speculated that anybody or anything that enters or leaves the crime scene (interaction with the crime scene) either leaves something behind or leaves with something from it (inadvertently or intentionally) and this can be used as forensic evidence. Let's consider a murder. Anybody that walks into a murder spot may leave the evidence of their presence in the form of footprints, fingerprints, and so on. Similarly, when someone leaves the crime scene, they may take specks of blood with them, local dust may adhere to their shoes, and so on.

How does this translate into the network world?

Essentially, every attempt to communicate with a device on the network leaves a trace somewhere; this could be at firewalls, intrusion detection systems, routers, event logs, and so on. Similarly, any attempt by an internal miscreant to access unauthorized resources will also leave a trace. This is depicted in the following image:

Locard's exchange principle in a digital world

Let's take the example of a phishing attack. As we are all aware, it begins with an innocuous mail with a massively appealing subject. The phishing mail may carry a payload in the form of an attachment (for example, a Trojan) or have a link that leads to a similar result. In this case, according to Locard's exchange principle, the two entities interacting would be the affected computer and the computer sending out the phish. Some of the evidence in this case would be the e-mail itself, Trojan horse/malware/keylogger, stolen passwords, changed passwords, attempts to cover tracks, and so on. The backdoor, once discovered, could reveal a lot of details and the IP addresses of devices that control it or receive the stolen data would also count as evidence. The command and control center for the phishing operation (if identified) would also be a goldmine of evidence.

As a network 007, it is our job to figure out what is going on and draw our conclusions accordingly.