× close Kiandra IT Logo Kiandra IT
Back to blog

2014 Verizon Data Breach Investigations Report Now Available

Each and every year the security industry eagerly awaits the Verizon Data Breach Investigations Report (DBIR). With data from over 50+ organisations around the globe (95 countries represented) and over 63,000 security incidents analysed, the DBIR provides the most comprehensive information on our current threat landscape. The report can be downloaded here.

This year’s DBIR has a fantastic and fresh new way of interpreting the data.  I frequently get asked when I am speaking at events or discussing statistics with clients how to make sense of all, what does a threat actor vs an action mean, and how do I find what’s relevant to my company?

This year they have introduced the “top 9 patterns” breakdown, a new “at a glance range”, and have made it even easier to see where the risks are, and how to mitigate such attacks.  More to come on that later…

Let’s delve straight into some of the stats for last year.

Verizon identified 9 patterns that cover 92% of the security incidents they analysed over the last 10 years and 94% of the breaches that they looked at in 2013.

The categories are:

Point of Sale (POS) Intrusions

When attackers compromise the computers and servers that run POS applications, with the intention of capturing payment data.

Web App Attacks

When attackers use stolen credentials or exploit vulnerabilities in web applications — such as content management systems (CMS) or e-commerce platforms.

Insider Misuse

This is mainly by insiders misuse, but outsiders (due to collusion) and partners (because they are granted privileges) show up as well. Potential culprits come from every level of the business, from the frontline to the boardroom.

Physical Theft/Loss

The loss or theft of laptops, USB drives, printed papers and other information assets, mostly from offices, but also from vehicles and homes.

Miscellaneous Errors

Simply, any mistake that compromises security. This may mean accidentally posting private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely.

Crimeware

Crimeware is a broad category, covering any use of malware (often web-based) to compromise systems such as servers and desktops. This pattern includes phishing attacks.

Payment Card Skimmers

The physical installation of a “skimmer” on an ATM, forecourt gas pump or POS terminal, to read your card data as you pay.

Denial of Service (DoS) Attacks

These are attacks, not attempted breaches. Attackers use “botnets” of PCs and powerful servers to overwhelm an organisation’s systems and applications with malicious traffic, causing normal business operations to grind to a halt.

Cyber-Espionage

When state-affiliated actors breach an organisation, often via targeted phishing attacks, to obtain intellectual property.

Everything else

If we look at the percentage of breaches for last year, in 2013 we saw Web App Attacks taking the top spot, followed by Cyber Espionage and POS Intrusions.  Last year was most definitely the year for POS attacks, with the attacks on Target,  Neiman-Marcus and Michaels to name a few.

dbir01

 

If we look at data breaches by industry, this year reinforces (like every other year), that no industry is immune from cyber attacks, nor do cyber attacks discriminate against how big or small you are.

We see that the finance industry caught the brunt of the attacks last year, followed by public/government and the retail industries:

dbir1

Verizon also introduced a fantastic addition this year – graphing of statistics over the past 10 years – which show us just how things have changed over the years, and also reinforces what us security folk see everyday in our jobs.

If we look at the number of breaches per category over the last 10 years, external attacks/attackers still account for the majority (I don’t personally think that will ever change), but more importantly internal/insider threats such as malicious employees are still prominent and steady, and are one area of the business that I see organisations ignore or forget about, time and time again.

dbir2

dbir3

So how have companies been getting hacked over the years, and more importantly in 2013?  Well last year we saw hacking as the number one way companies were attacked, (which was similar to previous years), followed by malware and social tactics, such as social engineering and spear phishing.  Notice how the hacking and malware categories explode upward in 2009 and social tactics begin to climb in 2010. These have parallel stories in the real world (e.g. better automated attack tools and DIY malware kits).  It’s interesting to see how the link between the general evolution of data storage, cloud, and IaaS has caused a massive drop in physical attacks, and various other attack methods.

dbir4

If we look at the changes in the top 10 actions against last year, we see that the use of stolen credentials is now number 1, followed by export of data via malware, and then phishing attacks. These are areas that companies of all types and size, need to place a greater emphasis.

dbir5 - top threat actions

So what assets are attackers going after?  We see that servers is still number 1 (same as last year) so no real surprises there. Attackers know this is where the data for an organisation is held. User devices have been growing over time because they offer an easy foot in the door, and of course people – exploiting (usually) the weakest link in an organisation’s security chain, by exploiting the human weakness, such as social engineering attacks.

This data is especially useful because it reveals the “footprint” of attackers as they travel through the victim’s environment in search of data. As defenders, it gives us a sense of what may need extra attention or protection, but to be honest, I personally see weaknesses in these top 3 areas, day-in and day-out on engagements.

dbir6 what are they after

When it comes to the time to compromise, from the time to discovery,  it is clearly showing us that each and every year attackers are getting better and better at breaching organisations. They require less and less time to breach a network (usually days or less), and in most cases, (although organisations are slowly getting better), it usually takes organisations an extraordinary large amount of time (anywhere from weeks to years) to detect and remove access from the intruder(s).

dbir7

If we look at the frequency of incident classification patterns, we see Web App Attacks taking out the top spot, followed by Cyber Espionage Attacks and POS Intrusions:

dbir9a

 

With the patterns telling a similar story:

dbir10 - incident classification patterns

 

If we look at the victims per industry the report makes it easy for organisation’s to review where their main risks are, and where they need to focus their efforts based on the top 9, a fantastic addition to this year’s DBIR.

dbir11

 

The report also breaks down the top 9 categories into individual time frames from initial compromise through to containment, which is quite an interesting read, and then assigns recommended controls (remediation).

Here’s the excerpt from the Web App Attacks section:

dbir12 - web app stats

 

Verizon also provide a great overview infographic available here

dbir

So…in my opinion, the primary takeaways that need to be hammered into organisations include:

  • It could be you. All sizes of business and all industries are at risk of some kind of security event. Even if you think your organisation is at low risk of external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data.
  • Most attacks are perpetrated by external actors, as opposed to employees and partners, but rest assured, you should be reviewing and assessing both areas of the organisation, through scheduling penetration testing.
  • Defense-in-depth strategy is key, although the report highlights areas that organisations need to focus on, organisations need to round off a defence-in-depth strategy by addressing all areas of the business, from people and processes, through to design, implementations and monitoring and detection.
  • Although attackers are mainly going for payment and bank data, which they can quickly convert into cash, user credentials are also a popular target, but mainly as a gateway to other kinds of data or other systems.
  • Attackers have got faster at breaching systems. Defenders are getting faster too — but they’re falling further behind.
  • Organisations now more than ever, need to invest time and capital into protecting their assets, and ensure that they are making it as hard as possible for attackers to breach into their networks, every breach has flow-on effects to both industry and individuals.
  • Make security a key priority in your budgetary planning for the next financial year.

If you would like some more information on the services we offer to help organisations meet their security goals, please get in touch or alternatively you can catch me speaking at the Crisis & Consumer Response Data Breach Conference (CCR14) in Sydney on the 23rd of May.

Till next time, Dan