Verizon’s annual Data Breach Investigations Report (DBIR), published since 2008, has become one of the most anticipated information security industry reports. Think of it as the Data Breach Bible, as it dissects thousands of confirmed data breaches and security incidents from around the globe into emergent and shifting trends, providing us with insightful guidance to apply to our own security practices.
This year’s publication compiled the data of nearly 80,000 security incidents and more than 2,000 data compromises from 61 countries. The contributions from dozens of forensic firms, service providers, government agencies and international Computer Security Information Response Teams (CSIRT) help provide detailed findings based on 2014 incident and breach data.
“The top three industries affected are the same as previous years: Public, Technology/Information, and Financial Services” (DBIR, pg. 2).
Of the 79,790 security incidents, including 2,122 with confirmed data loss, the industries most affected remained the same from the previous year – Public, Technology/Information, and Finance. The Public sector was hit with a whopping 50,000 security incidents and 300 confirmed breaches; the Information industry was affected with nearly 1,500 security incidents and about 100 confirmed data breaches. Meanwhile, Financial Services organizations suffered from about 650 security incidents and close to 300 compromises. All in all, it’s clear that “no industry is immune to security failures” (DBIR, pg. 3).
“In 70% of the attacks where we know the motive for the attack, there’s a secondary victim” (DBIR, pg. 5).
The analysis of this year’s data led to an interesting new revelation – nearly 70% of attack victims are targeted for the purpose of advancing a different attack against another victim. For instance, an attacker may hack a website to serve malware to visitors with the intentions of infecting its true target.
“Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise” (DBIR, pg. 6).
As far as breach discovery timing, the bad news is that we still can’t catch up to the bad guys. The good news is that the “detection deficit” is the smallest recorded in the last 10 years. The following chart shows how often attackers are able to compromise a victim within days or less and how often defenders are able to detect a compromise within that same time frame.
INDICATORS OF COMPROMISE
Although various viewpoints exist on the flourishing concept of threat intelligence, this year’s DBIR findings suggest information sharing will become more important if we want to “close the gap between sharing speed and attack speed” (DBIR, pg. 11). Interestingly enough, 75% of attacks observed spread from one victim to another within 24 hours, and over 40% hit the second organization one hour later.
“23% of recipients now open phishing messages and 11% click on attachments” (DBIR, pg. 12).
Phishing has long been a tried-and-true tactic for attackers, as they continue to deceive everyday users and organizations into providing sensitive information, or more recently, installing malware. With nearly 50% of users opening emails and clicking on malicious links within the first hour, it’s evident that sometimes people can be the weakest link.
“About half of the CVEs exploited in 2014 went from publish to pwn in less than a month” (DBIR, pg. 16).
We sympathize for IT teams every time high-impact vulnerabilities come to light, but the truth is you really do “need all those stinking patches on all your stinking systems” (DBIR, pg. 17). According to the DBIR crew, the real debate falls in whether IT teams should push to patch a given vulnerability more quickly or if it can wait until the next normal patching cycle.
Did you know that 70-90% of malware samples are unique to an organization? This year’s findings also revealed that certain industries saw significantly more malware events per week than others. The financial sector saw an average of 350 malware events per week – meaning they may have a better filtering system for phishing emails or they’re attacked with stealthy malware that’s difficult to detect. On the other hand, the education industry saw an average of 2,332 malware events per week – the potential “byproduct of less-strict policies and controls, or a sign that their users are easy picking for high-volume opportunistic threats” (DBIR, pg. 22).
INCIDENT CLASSIFICATION PATTERNS
This isn’t a new revelation, but it’s still important to note that the vast majority of confirmed data disclosures continue to fall into a classification of nine basic attack patterns. Even when the threat landscape is rapidly evolving, we can see that the majority of data breaches are attributed to point-of-sale attacks (28.5%), while crimeware (18.8%) and cyber-espionage are tied for the #2 spot.
It’s worth noting that these patterns shift significantly when accounting for security incidents, as opposed to compromises, in which miscellaneous errors (29.4%), crimeware (25.1%) and privilege misuse (20.65%) are the top-ranked attack attributions.
“The common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people” (DBIR, pg. 32).
As always, the Verizon DBIR report provides us with insightful information as to how and why cyber attacks are so prolific across all industry sectors. The issue of cybersecurity is finally starting to get recognized as more than just an IT problem, making its way to boardroom and C-suite discussions. Looking back a few years, we are starting to see some improvement in the policies, practices and investments organizations are taking towards security, especially as legislation starts to take a leap forward. However, the efforts we’ve made to actively change these statistics for the better is only the beginning.
What will you do to avoid being another data breach statistic?
Download the full 2015 Verizon Data Breach Investigations Report here.