1 / 40

A Statistical Analysis of Disclosed Storage Security Breaches

A Statistical Analysis of Disclosed Storage Security Breaches. Ragib Hasan * William Yurcik University of Illinois at Urbana Champaign 2 nd International Workshop on Storage Security and Survivability October 30, 2006. Dept. of Computer Science. NCSA. Overview. Motivation and goals

hova
Download Presentation

A Statistical Analysis of Disclosed Storage Security Breaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Statistical Analysis of Disclosed Storage Security Breaches Ragib Hasan* William Yurcik University of Illinois at Urbana Champaign 2nd International Workshop on Storage Security and Survivability October 30, 2006 Dept. of Computer Science NCSA

  2. Overview • Motivation and goals • Breach disclosure laws • Data sources • Analysis of Data • Future work

  3. Motivation • Storage breaches have become a part of daily lives • Everyone is affected at one point or another … • CardSystems incident lost 40 million records • Veteran’s Administration incident lost 28.6 million records • Sometimes, theft of hardware exposes records indirectly • Insight into the type of breach, and type of records lost may allow better and well focused security measures

  4. Goals • To look into the largely uncategorized raw data in order to • Summarize data in various dimensions • Find underlying patterns in the incidents • Compare incidents • Show vulnerabilities in various organizations • To provide a online information source for further analysis

  5. Breach Disclosure Laws • Storage breaches are mostly reported only because there are state breach-reporting laws • As of 2006, only 28 states have storage breach reporting laws • These laws mandate • Notification of the customers • But not the notification in the media • A federal law is needed to ensure consistency Yurcik and Hasan, Toward One Strong National Breach Disclosure Law - Justification and Requirements, WESII ‘06

  6. This paper • Deals with only disclosed storage security breaches • By disclosed we mean the breach report has been published in the news media or otherwise • This is most likely a fraction of other undisclosed storage security breaches (in other words, just the tip of the iceberg!! )

  7. Data Sources

  8. Data sources • PrivacyRights.org • Provides information on incidents, breach types, and record counts • Has info on 95 million record losses since Feb 15, 2005 • 182 breach incidents reported between Feb ’05-July ’06 • Attrition.org • Collects information from news sources • 183 breach incidents reported between Jan ’05-July ’06

  9. Our analysis • Time period: • January 1, 2005-July 5, 2006 • Data items from these sources were • merged • duplicates removed • resolved incidents removed • Final dataset: • 219 breach incidents • For each incident, size in records, data type, breach type, organization types etc. were recorded

  10. Analysis of breach incidents

  11. Analysis overview • Breach incident frequency • Size of breaches (records lost) • Type of data • Mechanism of breach

  12. Breach Events • Breach incidents per month • Breakdown by organizations • Comparison of case studies • Distribution over time per organization

  13. Interesting periodicity, more incidents reported during the February-June period Breach Events in Time: Histogram

  14. Breakdown by Organization Type Educational institutions had the largest number of breaches, followed by business organizations

  15. Breach Events in Time: by Org Bank Business Edu Med

  16. Breach incidents over time Most breaches in universities happened during spring and summer; in case of businesses, it happened over winter and early spring

  17. Size of breach incidents • Distribution over time • Per month histogram • Breakdown among organizations

  18. Breach Events by Size in Time Most breach sizes are in the range of 103-106records; only three incidents had sizes exceeding 107 records.

  19. Records Lost per month: Histogram Record loss per month: more or less distributed. Spikes are two isolated incidents

  20. Records Lost per Month: Log Record loss per month: more or less distributed. Spikes are two isolated incidents

  21. Lost Data by Organization Type Business organizations lost the most data items

  22. Who lost most records per incident? By incident count By record count Educations institutions had more breaches, but lost less data per incident

  23. Breach size distribution • Typical breach size in a university is tens of thousands; • Typical breach size for a business organization is hundreds of thousands

  24. Type of data • Distribution of data types • Most common data combinations • Comparison of bank, business, schools/universities, and medical institutions

  25. Lost Data by Type SSN and Name/Address are most common data types lost

  26. Data Type(s) Lost Per Incident SSN/NAA pairs were most popular as these combinations are used in identity theft

  27. Lost Data by Type by Org Bank Business Med Edu Lost data types are characteristic of organization

  28. How were the records lost? • Distribution of Breach mechanism • Comparison study for bank, business, educational/medical organizations

  29. 73% theft 27% lost Breach Mechanism Breakdown by breach types: Physical and external intrusions dominate

  30. Breach Mechanism: by Org Business Bank Edu Med

  31. Breach mechanism vs record sizes Physical attacks tend to lose more data items

  32. Future work • More detailed analysis over a longer period • Data sets will be made available at http://dais.cs.uiuc.edu/~rhasan/breachdb

  33. Storage Security and Survivability (StorageSS) URL: <http://www.ncassr.org/projects/storage-sec/> Any Questions?

  34. Backup Slides

  35. Scatter: Events in Time

  36. Quad: Records lost per month Bank Business Med Edu

  37. Scatter • Scatter diagram: Size plot over time

  38. Scatter • Scatter diagram: Time plot for each organization type

  39. Scatter • Scatter diagram: Size plot for each data type

  40. Scatter • Scatter diagram: Size plot for each organization type

More Related