Almost every security incident and data breach recorded during 2013 can be traced back to a series of basic threat types or ‘patterns’, many of which are specific to industry sectors, Verizon’s bellwether 2014 Data Breach Investigations Report (DBIR) has concluded.
The firm’s latest report - the result of input from an unprecedented 50 organisations in 95 countries - offers this as a nugget of hope for a business world hit by a surge in data breach incidents that reached record proportions during the year.
This DBIR crunched numbers from 1,367 confirmed breaches and 60,437 security incidents, uncovering nine basic patterns that seemed to lie at the root of almost of data loss event. These were point of sale, web app attacks, insider misuse, lost or stolen devices, miscellaneous/employee error, crimeware and malware, payment card skimming, DDoS, and last but not least, cyber-espionage.
While these categories are not new Verizon’s hugely expanded DBIR analysis is the first to relate specific types of incidents to real data breaches and reported incidents, in the process discovering something that security experts have long suspected but never been able to prove; every enterprise is vulnerable to a subset of these security threats but which threat will depend on an organisation’s type of business.
For confirmed breaches, the commonest single cause was web app attacks (e.g. software flaws and online bank phishing) on 35 percent, ahead of cyber-espionage on 22 percent, and Point-of-Sale (POS) intrusions on 14 percent. The data is striking; seven out of ten real-world data breaches were caused by only these three underlying attack vectors, ahead of card skimmers on 9 percent and insider misuse on 8 percent.
Finance led the way in terms of breaches with 465, with public sector second on 175 thank to notification laws that compel disclosure, retail third with 148, and accommodation fourth on 137.
When looking at overall security incidents (which might or might not have led to breaches), a surprising number of involved employees, with miscellaneous staff errors first on 25 percent, crimeware (i.e. malware) second on 20 percent, insider misuse third on 18 percent and physical loss fourth on 14 percent.
If this sounds a bit convoluted the takeaway is that organisations should draw a distinction between attacks that cause security incidents and ones likely to lead to actual breaches. Which attacks are likely to lead to breaches will vary widely by sector.
For a finance organisation this means defending against phishing and authentication/web app attacks, payment card skimmers and DDoS attacks designed to take down portals. By contrast, for retail the threat is overwhelmingly about stopping POS attacks and DDoS. As to another breach-prone sector, healthcare, the major issue could be insider abuse and data theft.
Understanding the future of security could come down to grasping the way that real-world threats vary by sector over time, getting away from the generalisations that have ruled a lot of security discussion in recent years.
This might help enterprises fight back because, according to report author Wade Baker, “after analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime and the bad guys are winning.”
“Organizations need to realize no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organization – often weeks or months, while penetrating an organization can take minutes or hours,” Baker said. The attackers were simply innovating faster than the defenders.
A major weakness that jumped out was the way customer credentials were being abused in many breaches, exploiting weaknesses in privilege management and authentication, he said.
After a year that witnessed some of the largest data breaches in history, Verizon’s DBIR comes bearing more bad news: every enterprise, large and small, well-protected or not, is now vulnerable to data loss whether it wants to face this fact or not. Salvation lies in information and analysis, in making the specific nature of some attacks visible.