A Statistical Analysis of Disclosed Storage Security Breaches

1
A Statistical Analysis of Disclosed Storage
Security Breaches

• Ragib Hasan William Yurcik
• University of Illinois at Urbana Champaign
• 2nd International Workshop on Storage Security
  and Survivability October 30, 2006

Dept. of Computer Science
NCSA
2
Overview

• Motivation and goals
• Breach disclosure laws
• Data sources
• Analysis of Data
• Future work

3
Motivation

• Storage breaches have become a part of daily
  lives
• Everyone is affected at one point or another
• CardSystems incident lost 40 million records
• Veterans Administration incident lost 28.6
  million records
• Sometimes, theft of hardware exposes records
  indirectly
• Insight into the type of breach, and type of
  records lost may allow better and well focused
  security measures

4
Goals

• To look into the largely uncategorized raw data
  in order to
• Summarize data in various dimensions
• Find underlying patterns in the incidents
• Compare incidents
• Show vulnerabilities in various organizations
• To provide a online information source for
  further analysis

5
Breach Disclosure Laws

• Storage breaches are mostly reported only because
  there are state breach-reporting laws
• As of 2006, only 28 states have storage breach
  reporting laws
• These laws mandate
• Notification of the customers
• But not the notification in the media
• A federal law is needed to ensure consistency

Yurcik and Hasan, Toward One Strong National
Breach Disclosure Law - Justification and
Requirements, WESII 06
6
This paper

• Deals with only disclosed storage security
  breaches
• By disclosed we mean the breach report has been
  published in the news media or otherwise
• This is most likely a fraction of other
  undisclosed storage security breaches (in other
  words, just the tip of the iceberg!! )

7

• Data Sources

8
Data sources

• PrivacyRights.org
• Provides information on incidents, breach types,
  and record counts
• Has info on 95 million record losses since Feb
  15, 2005
• 182 breach incidents reported between Feb
  05-July 06
• Attrition.org
• Collects information from news sources
• 183 breach incidents reported between Jan
  05-July 06

9
Our analysis

• Time period
• January 1, 2005-July 5, 2006
• Data items from these sources were
• merged
• duplicates removed
• resolved incidents removed
• Final dataset
• 219 breach incidents
• For each incident, size in records, data type,
  breach type, organization types etc. were
  recorded

10

• Analysis of breach incidents

11
Analysis overview

• Breach incident frequency
• Size of breaches (records lost)
• Type of data
• Mechanism of breach

12
Breach Events

• Breach incidents per month
• Breakdown by organizations
• Comparison of case studies
• Distribution over time per organization

13
Breach Events in Time Histogram
14
Breakdown by Organization Type
Educational institutions had the largest number
of breaches, followed by business organizations
15
Breach Events in Time by Org
Bank
Business
Edu
Med
16
Breach incidents over time

• Most breaches in universities happened during
  spring and summer in case of businesses, it
  happened over winter and early spring

17
Size of breach incidents

• Distribution over time
• Per month histogram
• Breakdown among organizations

18
Breach Events by Size in Time

• Most breach sizes are in the range of 103-106
  records only three incidents had sizes exceeding
  107 records.

19
Records Lost per month Histogram

• Record loss per month more or less distributed.
  Spikes are two isolated incidents

20
Records Lost per Month Log

• Record loss per month more or less distributed.
  Spikes are two isolated incidents

21
Lost Data by Organization Type
Business organizations lost the most data items
22
Who lost most records per incident?

• By incident count

By record count
Educations institutions had more breaches, but
lost less data per incident
23
Breach size distribution

• Typical breach size in a university is tens of
  thousands
• Typical breach size for a business organization
  is hundreds of thousands

24
Type of data

• Distribution of data types
• Most common data combinations
• Comparison of bank, business, schools/universities
  , and medical institutions

25
Lost Data by Type

• SSN and Name/Address are most common data types
  lost

26
Data Type(s) Lost Per Incident

• SSN/NAA pairs were most popular as these
  combinations are used in identity theft

27
Lost Data by Type by Org
Bank
Business
Edu
Med
Lost data types are characteristic of organization
28
How were the records lost?

• Distribution of Breach mechanism
• Comparison study for bank, business,
  educational/medical organizations

29
Breach Mechanism

• Breakdown by breach types Physical and external
  intrusions dominate

30
Breach Mechanism by Org
Business
Bank
Edu
Med
31
Breach mechanism vs record sizes

• Physical attacks tend to lose more data items

32
Future work

• More detailed analysis over a longer period
• Data sets will be made available at
  http//dais.cs.uiuc.edu/rhasan/breachdb

33

• Storage Security and Survivability (StorageSS)
• URL lthttp//www.ncassr.org/projects/storage-sec/
  gt
• Any Questions?

34
Backup Slides
35
Scatter Events in Time
36
Quad Records lost per month
Bank
Business
Med
Edu
37
Scatter

• Scatter diagram Size plot over time

38
Scatter

• Scatter diagram Time plot for each organization
  type

39
Scatter

• Scatter diagram Size plot for each data type

40
Scatter

• Scatter diagram Size plot for each organization
  type