Breaches are now a global battle
It is often assumed that the US and bits of Europe suffer more data breaches because they represent the most valuable targets. A second assumption is that some sectors are more at risk than others, including in the UK.
There is some truth in these generalisations but over time the evidence strongly suggests that data breaches are merging into a global phenomenon whose industrial scale threatens every organisations regardless of sector, nationality or size.
The majority of the data breaches analysed by Verizon in its annual Data Breach Investigations Report (DBIR) of real incidents were in larger firms in the US which is where most of of its customers are located. But the increasing prevalence of non-US breaches is a noticeable trend. Examples of this in April 2016 alone included a 1.4GB cache apparently stolen from Qatar National Bank (QNB), and several massive attacks on voter databases in countries including the Philippines (55 million records), Turkey (50 million records) and Mexico (87 million records)
Gemalto’s database of reported global data breaches confirms this with 11 of the top 20 most serious beaches occurring outside the US in the year to April 2016.
A lot of data breaches are never reported – or even discovered
If breaches are never reported how is it possible to measure the degree of under-reporting? It’s simply a matter of inference. First, most confirmed breaches analysed by Verizon happened in a matter of minutes or hours but weren’t discovered for weeks or months or at all. That gap between compromise and discovery points to the simple fact that organisations can’t report what they don’t know about.
Second, and most important of all, the majority of breaches, including many in the US, are now coming to light when they are discovered externally, either when the data is posted to a forum or chanced upon by a researcher. The obvious example of this would be the Ashley Madison hack of July 2015, which the company was unaware of until the data was publically released. There are many other examples that have unfolded in the same way with breached organisations playing a frantic game of catch up against an enemy long gone.
The bottom line: it won’t be the hacked organisation that confirms it has suffered a data breach. It’s the criminals or researchers who will tell the world, a pretty arbitrary barometer of the scale of real-world breach activity.
The insider threat is misunderstood
This issue of insider attacks turns out to be more complex than it first appears. Broadly, Verizon’s DBIR found that the threat of insiders (i.e. employees) is exaggerated – it accounted for 172 incidents involving data loss out of a total of 2,260 confirmed during 2015 – which runs slightly counter to the prevailing paranoia about the growing risk of insider collusion.
The definition of an insider attack is broad, taking in all incidents that originate from behind the firewall, which means the category also includes the misuse of stolen credentials, including those used by partners and customers. That means that a portion of those insider attacks are simply attacks launched from inside the network rather than by employees on the inside, an important difference.
Verizon’s breakdown is that 77 percent of internal breaches were deemed to be by employees, 11 percent by external actors only, three percent were from partners and eight percent involved some kind of internal-external collusion which makes them hard to categorise. Annual DBIR reports since 2010 show that in purely numerical terms, internal attackers account for at around one in five successful breaches the company has looked at.
Although far from insignificant, the DBIR authors sum this up in the following way: Let’s face it, no matter how big your house may be there are more folks outside it than there are inside it,”
On the other hand, the real threat from insiders isn’t that they are the numerically numerous but that when they insiders go bad that often takes a long time to be uncovered, possibly years or even never.
Cyber-espionage is rare but usually serious
Attacks by nation states are still rare – around 0.4 percent of confirmed breaches - but make for a particular kind of data breach that is hard to generalise about. That is to say, nation state attackers almost always go after particular types of organisation in key sectors either to gather intelligence about their inner workings or steal data but on the odd occasion they don’t it is usually memorable.
The likely North Korean-sponsored attack on Sony in 2014 was a perfect example of that. Few if any nation states would be interested in the emails sent to and from executives of an entertainment company but nation states sometimes have esoteric motivations that resemble ideological hacktivists. Nevertheless, the most popular target of nation states (32 breach incidents, says Verizon) are the bureaucracies of other nation states.
Internet of Things attacks are still on the drawing board
Undoubtedly, IoT has invented a new class of device that data breach attackers will target at some point. What Verizon is able to state is that it isn’t seeing this class of devices in real-world breach attacks, or not yet.
“We’ve not seen a significant volume of incidents involving mobile or IoT devices yet. But the threat is certainly real. Proof of concept exploits have been demonstrated and it’s only a matter of time before we see a large-scale breach.”
More surprisingly, mobile has also yet to light up when it comes to breaches. There is a lot of anxiety about mobile devices being used in attacks but it’s not showing up in Verizon’s breach investigations.
Data breach trends 2016 – successful data breaches are rarely difficult
The attack that launches almost all successful external data breaches is simple phishing attack using an attachment or link sent via email. It sounds obvious but it’s worth paying attention to. Unlike threat reports from security vendors, Verizon’s report is written after looking into real attacks. Phishing works and if it doesn’t the attackers can keep it up until it does (12 percent of recipients click on attachments of links).
The second arm of many breaches is the targeting of software vulnerabilities and here, again, they are often not being asked to work that hard. Interestingly, the conventional wisdom is that patching as rapidly as possible is the best form of defence but Verizon’s report suggests it’s actually consistency that matters more. Many attacks successful exploit older software flaws – the most exploited flaws in 2015 data breaches were CVEs published in 2010 and 2011.