A Statistical Analysis of Disclosed Storage Security Breaches

1. A Statistical Analysis of Disclosed Storage Security Breaches Ragib Hasan* William Yurcik University of Illinois at Urbana Champaign 2nd International Workshop on Storage Security and Survivability October 30, 2006 Dept. of Computer Science NCSA

2. Overview • Motivation and goals • Breach disclosure laws • Data sources • Analysis of Data • Future work

3. Motivation • Storage breaches have become a part of daily lives • Everyone is affected at one point or another … • CardSystems incident lost 40 million records • Veteran’s Administration incident lost 28.6 million records • Sometimes, theft of hardware exposes records indirectly • Insight into the type of breach, and type of records lost may allow better and well focused security measures

4. Goals • To look into the largely uncategorized raw data in order to • Summarize data in various dimensions • Find underlying patterns in the incidents • Compare incidents • Show vulnerabilities in various organizations • To provide a online information source for further analysis

5. Breach Disclosure Laws • Storage breaches are mostly reported only because there are state breach-reporting laws • As of 2006, only 28 states have storage breach reporting laws • These laws mandate • Notification of the customers • But not the notification in the media • A federal law is needed to ensure consistency Yurcik and Hasan, Toward One Strong National Breach Disclosure Law - Justification and Requirements, WESII ‘06

6. This paper • Deals with only disclosed storage security breaches • By disclosed we mean the breach report has been published in the news media or otherwise • This is most likely a fraction of other undisclosed storage security breaches (in other words, just the tip of the iceberg!! )

7. Data Sources

8. Data sources • PrivacyRights.org • Provides information on incidents, breach types, and record counts • Has info on 95 million record losses since Feb 15, 2005 • 182 breach incidents reported between Feb ’05-July ’06 • Attrition.org • Collects information from news sources • 183 breach incidents reported between Jan ’05-July ’06

9. Our analysis • Time period: • January 1, 2005-July 5, 2006 • Data items from these sources were • merged • duplicates removed • resolved incidents removed • Final dataset: • 219 breach incidents • For each incident, size in records, data type, breach type, organization types etc. were recorded

10. Analysis of breach incidents

11. Analysis overview • Breach incident frequency • Size of breaches (records lost) • Type of data • Mechanism of breach

12. Breach Events • Breach incidents per month • Breakdown by organizations • Comparison of case studies • Distribution over time per organization

13. Interesting periodicity, more incidents reported during the February-June period Breach Events in Time: Histogram

14. Breakdown by Organization Type Educational institutions had the largest number of breaches, followed by business organizations

15. Breach Events in Time: by Org Bank Business Edu Med

16. Breach incidents over time Most breaches in universities happened during spring and summer; in case of businesses, it happened over winter and early spring

17. Size of breach incidents • Distribution over time • Per month histogram • Breakdown among organizations

18. Breach Events by Size in Time Most breach sizes are in the range of 103-106records; only three incidents had sizes exceeding 107 records.

19. Records Lost per month: Histogram Record loss per month: more or less distributed. Spikes are two isolated incidents

20. Records Lost per Month: Log Record loss per month: more or less distributed. Spikes are two isolated incidents

21. Lost Data by Organization Type Business organizations lost the most data items

22. Who lost most records per incident? By incident count By record count Educations institutions had more breaches, but lost less data per incident

23. Breach size distribution • Typical breach size in a university is tens of thousands; • Typical breach size for a business organization is hundreds of thousands

24. Type of data • Distribution of data types • Most common data combinations • Comparison of bank, business, schools/universities, and medical institutions

25. Lost Data by Type SSN and Name/Address are most common data types lost

26. Data Type(s) Lost Per Incident SSN/NAA pairs were most popular as these combinations are used in identity theft

27. Lost Data by Type by Org Bank Business Med Edu Lost data types are characteristic of organization

28. How were the records lost? • Distribution of Breach mechanism • Comparison study for bank, business, educational/medical organizations

29. 73% theft 27% lost Breach Mechanism Breakdown by breach types: Physical and external intrusions dominate

30. Breach Mechanism: by Org Business Bank Edu Med

31. Breach mechanism vs record sizes Physical attacks tend to lose more data items

32. Future work • More detailed analysis over a longer period • Data sets will be made available at http://dais.cs.uiuc.edu/~rhasan/breachdb

33. Storage Security and Survivability (StorageSS) URL: <http://www.ncassr.org/projects/storage-sec/> Any Questions?

34. Backup Slides

35. Scatter: Events in Time

36. Quad: Records lost per month Bank Business Med Edu

37. Scatter • Scatter diagram: Size plot over time

38. Scatter • Scatter diagram: Time plot for each organization type

39. Scatter • Scatter diagram: Size plot for each data type

40. Scatter • Scatter diagram: Size plot for each organization type