Lost Laptops Get the Press; Server Breaches Cause More Stress

In the next few weeks, Forrester Research will release my report, Forrester TechRadar: Database and Server Data Security, Q1 2009. In this report, we describe how the risks of theft, corruption and abuse has made securing data stored on servers and in databases much harder. To help security and risk professionals plan their next decade of investments in server data security, the report describes current and future state of 8 important technologies: centralized key management, data classifiers for security, data discovery scanners, data obscurity tools, database activity monitoring, database encryption, outbound web application filtering, and tape and backup encryption.

As part of the process of researching some of the business drivers for this report, I analyzed data from DataLossDB, a public database containing information on data loss events reported in the press and to governmental organizations as required by various disclosure laws. The data makes for fascinating study, and I urge our readers to take a look at it if they want to see what's been going on in the whole area of data breaches. Best of all, I know some of the principals involved in the project, and they are doing a terrific job.

Some of the analysis nuggets we mined from the database are fascinating. I thought I'd share one here, as excerpted from the report:

  • "Bulk customer data remains the coin of the realm for thieves. Personally identifiable information that enterprises keep about customers is often used to manufacture identities and open credit lines. According to the Open Security Foundation’s DataLoss DB, 67% of 553 reported data theft incidents in 2008 targeted Name and Address or Social Security Numbers.... Data loss type 'Stolen laptop' was the most common, at 20% of incidents (112 incidents).
  • "Databases remain target-rich environments. A significant proportion of sensitive information resides on web-based applications connected to databases. While lost and stolen laptops remain the most common source of lost data, according to DataLoss DB, hacks were the second-most common kind in 2008 (16%, or 88 incidents). Non-exhaustive analysis of these incidents shows that the vast majority were hacks against web applications, typically using SQL injection or other common techniques. Hacking incidents, generally against SQL servers, were extremely effective, with an average of 200,000 records disclosed per incident.
  • "By contrast, lost, stolen and missing laptops and computers resulted in one-eighth as few lost records. Of 154 incidents of type LostComputer, LostLaptop, MissingLaptop, StolenComputer, StolenComputer/StolenDrive, StolenLaptop, StolenLaptop/StolenDocument, StolenLaptop/StolenMedia, and StolenLaption/StolenTape, the total records affected was 4 million. Average records per incident was 26,270, with a standard deviation of 89,665."

So the punchline is this: if you believe the numbers (and my analysis), servers tend to be 8-10x more radioactive than endpoint computers. I will likely be recommending a few methodological changes to the DataLoss DB schema to capture a few more pieces of information and make analyses such as mine more credible.

In the meantime, I'd love to hear from blog readers on the subject of data breaches. What kinds of data are "toxic" for your organization? How are you protecting them? We'd like to hear from you.

Comments

re: Lost Laptops Get the Press; Server Breaches Cause More Stre

Wholeheartedly concur, Mr. Jaquith. Our case data is even more lopsided toward servers and my analysis of DataLossDB yields the same conclusions.Furthermore, I believe the scales tip even further in the direction of servers because of all the publicly disclosed number of exposed records due to laptops, only a small percentage are actually compromised. On the other hand, data from servers shows up on black market often and quickly. In general, laptop thieves want hardware, not data.

re: Lost Laptops Get the Press; Server Breaches Cause More Stre

Wade, great to hear from you. Your work with Verizon Business on this subject has been stellar, by the way. Have you published anything publicly on disclosed records per server v. per laptop?FYI, if I run the DataLossDB numbers for 2007, I get even more lopsided results than for 2008: 32,700 lost per laptop versus 1.5 million per server. The standard deviation is pretty huge, though.

re: Lost Laptops Get the Press; Server Breaches Cause More Stre

FYI, 2008 is "more complete" than 2007. We have more primary sources for 08 than we do for 07, so we're working to close that gap and FOIA more records from 07 to get a more accurate picture, but these things cost money and take time. Still, the distribution of breach types shouldn't change much. Standard deviation would still be high, but a t_distribution confidence interval would narrow significantly.

re: Lost Laptops Get the Press; Server Breaches Cause More Stre

Dave, thanks for your comments. They add some very useful context to the 2007 numbers.Just out of curiosity, does the DataLossDB have any capacity to record what type of asset was affected? For example, laptop, server, PC, smartphone, tape? These are implied in your "incident type" column, but that seems to mix the method (hack etc) with the asset type. Happy to help with breaking these items apart in the source data. For example, I casually looked through some of the reports and noted that the "hack" incident type predominantly affected servers.

re: Lost Laptops Get the Press; Server Breaches Cause More Stre

Not at this time. In your research did you find it fairly simple to ascertain the affected asset? We might consider it if it doesn't add an extensive amount of work to daily additions.