In the next few weeks, Forrester Research will release my report, Forrester TechRadar: Database and Server Data Security, Q1 2009. In this report, we describe how the risks of theft, corruption and abuse has made securing data stored on servers and in databases much harder. To help security and risk professionals plan their next decade of investments in server data security, the report describes current and future state of 8 important technologies: centralized key management, data classifiers for security, data discovery scanners, data obscurity tools, database activity monitoring, database encryption, outbound web application filtering, and tape and backup encryption.
As part of the process of researching some of the business drivers for this report, I analyzed data from DataLossDB, a public database containing information on data loss events reported in the press and to governmental organizations as required by various disclosure laws. The data makes for fascinating study, and I urge our readers to take a look at it if they want to see what's been going on in the whole area of data breaches. Best of all, I know some of the principals involved in the project, and they are doing a terrific job.
Some of the analysis nuggets we mined from the database are fascinating. I thought I'd share one here, as excerpted from the report:
- "Bulk customer data remains the coin of the realm for thieves. Personally identifiable information that enterprises keep about customers is often used to manufacture identities and open credit lines. According to the Open Security Foundation’s DataLoss DB, 67% of 553 reported data theft incidents in 2008 targeted Name and Address or Social Security Numbers…. Data loss type 'Stolen laptop' was the most common, at 20% of incidents (112 incidents).
- "Databases remain target-rich environments. A significant proportion of sensitive information resides on web-based applications connected to databases. While lost and stolen laptops remain the most common source of lost data, according to DataLoss DB, hacks were the second-most common kind in 2008 (16%, or 88 incidents). Non-exhaustive analysis of these incidents shows that the vast majority were hacks against web applications, typically using SQL injection or other common techniques. Hacking incidents, generally against SQL servers, were extremely effective, with an average of 200,000 records disclosed per incident.
- "By contrast, lost, stolen and missing laptops and computers resulted in one-eighth as few lost records. Of 154 incidents of type LostComputer, LostLaptop, MissingLaptop, StolenComputer, StolenComputer/StolenDrive, StolenLaptop, StolenLaptop/StolenDocument, StolenLaptop/StolenMedia, and StolenLaption/StolenTape, the total records affected was 4 million. Average records per incident was 26,270, with a standard deviation of 89,665."
So the punchline is this: if you believe the numbers (and my analysis), servers tend to be 8-10x more radioactive than endpoint computers. I will likely be recommending a few methodological changes to the DataLoss DB schema to capture a few more pieces of information and make analyses such as mine more credible.
In the meantime, I'd love to hear from blog readers on the subject of data breaches. What kinds of data are "toxic" for your organization? How are you protecting them? We'd like to hear from you.