400 likes | 482 Views
A Statistical Analysis of Disclosed Storage Security Breaches. Ragib Hasan * William Yurcik University of Illinois at Urbana Champaign 2 nd International Workshop on Storage Security and Survivability October 30, 2006. Dept. of Computer Science. NCSA. Overview. Motivation and goals
E N D
A Statistical Analysis of Disclosed Storage Security Breaches Ragib Hasan* William Yurcik University of Illinois at Urbana Champaign 2nd International Workshop on Storage Security and Survivability October 30, 2006 Dept. of Computer Science NCSA
Overview • Motivation and goals • Breach disclosure laws • Data sources • Analysis of Data • Future work
Motivation • Storage breaches have become a part of daily lives • Everyone is affected at one point or another … • CardSystems incident lost 40 million records • Veteran’s Administration incident lost 28.6 million records • Sometimes, theft of hardware exposes records indirectly • Insight into the type of breach, and type of records lost may allow better and well focused security measures
Goals • To look into the largely uncategorized raw data in order to • Summarize data in various dimensions • Find underlying patterns in the incidents • Compare incidents • Show vulnerabilities in various organizations • To provide a online information source for further analysis
Breach Disclosure Laws • Storage breaches are mostly reported only because there are state breach-reporting laws • As of 2006, only 28 states have storage breach reporting laws • These laws mandate • Notification of the customers • But not the notification in the media • A federal law is needed to ensure consistency Yurcik and Hasan, Toward One Strong National Breach Disclosure Law - Justification and Requirements, WESII ‘06
This paper • Deals with only disclosed storage security breaches • By disclosed we mean the breach report has been published in the news media or otherwise • This is most likely a fraction of other undisclosed storage security breaches (in other words, just the tip of the iceberg!! )
Data sources • PrivacyRights.org • Provides information on incidents, breach types, and record counts • Has info on 95 million record losses since Feb 15, 2005 • 182 breach incidents reported between Feb ’05-July ’06 • Attrition.org • Collects information from news sources • 183 breach incidents reported between Jan ’05-July ’06
Our analysis • Time period: • January 1, 2005-July 5, 2006 • Data items from these sources were • merged • duplicates removed • resolved incidents removed • Final dataset: • 219 breach incidents • For each incident, size in records, data type, breach type, organization types etc. were recorded
Analysis overview • Breach incident frequency • Size of breaches (records lost) • Type of data • Mechanism of breach
Breach Events • Breach incidents per month • Breakdown by organizations • Comparison of case studies • Distribution over time per organization
Interesting periodicity, more incidents reported during the February-June period Breach Events in Time: Histogram
Breakdown by Organization Type Educational institutions had the largest number of breaches, followed by business organizations
Breach Events in Time: by Org Bank Business Edu Med
Breach incidents over time Most breaches in universities happened during spring and summer; in case of businesses, it happened over winter and early spring
Size of breach incidents • Distribution over time • Per month histogram • Breakdown among organizations
Breach Events by Size in Time Most breach sizes are in the range of 103-106records; only three incidents had sizes exceeding 107 records.
Records Lost per month: Histogram Record loss per month: more or less distributed. Spikes are two isolated incidents
Records Lost per Month: Log Record loss per month: more or less distributed. Spikes are two isolated incidents
Lost Data by Organization Type Business organizations lost the most data items
Who lost most records per incident? By incident count By record count Educations institutions had more breaches, but lost less data per incident
Breach size distribution • Typical breach size in a university is tens of thousands; • Typical breach size for a business organization is hundreds of thousands
Type of data • Distribution of data types • Most common data combinations • Comparison of bank, business, schools/universities, and medical institutions
Lost Data by Type SSN and Name/Address are most common data types lost
Data Type(s) Lost Per Incident SSN/NAA pairs were most popular as these combinations are used in identity theft
Lost Data by Type by Org Bank Business Med Edu Lost data types are characteristic of organization
How were the records lost? • Distribution of Breach mechanism • Comparison study for bank, business, educational/medical organizations
73% theft 27% lost Breach Mechanism Breakdown by breach types: Physical and external intrusions dominate
Breach Mechanism: by Org Business Bank Edu Med
Breach mechanism vs record sizes Physical attacks tend to lose more data items
Future work • More detailed analysis over a longer period • Data sets will be made available at http://dais.cs.uiuc.edu/~rhasan/breachdb
Storage Security and Survivability (StorageSS) URL: <http://www.ncassr.org/projects/storage-sec/> Any Questions?
Quad: Records lost per month Bank Business Med Edu
Scatter • Scatter diagram: Size plot over time
Scatter • Scatter diagram: Time plot for each organization type
Scatter • Scatter diagram: Size plot for each data type
Scatter • Scatter diagram: Size plot for each organization type